SUSE-SU-2024:4364-1

Опубликовано: 17 дек. 2024

Источник: suse-cvrf

Описание

Security update for the Linux Kernel

The SUSE Linux Enterprise 15 SP5 kernel was updated to receive various security bugfixes.

The following security bugs were fixed:

CVE-2021-47594: mptcp: never allow the PM to close a listener subflow (bsc#1226560).
CVE-2022-48879: efi: fix NULL-deref in init error path (bsc#1229556).
CVE-2022-48956: ipv6: avoid use-after-free in ip6_fragment() (bsc#1231893).
CVE-2022-48957: dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove() (bsc#1231973).
CVE-2022-48958: ethernet: aeroflex: fix potential skb leak in greth_init_rings() (bsc#1231889).
CVE-2022-48959: net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions() (bsc#1231976).
CVE-2022-48960: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() (bsc#1231979).
CVE-2022-48962: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() (bsc#1232286).
CVE-2022-48966: net: mvneta: Fix an out of bounds check (bsc#1232191).
CVE-2022-48980: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() (bsc#1232233).
CVE-2022-48983: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() (bsc#1231959).
CVE-2022-48991: mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma (bsc#1232070).
CVE-2022-49015: net: hsr: Fix potential use-after-free (bsc#1231938).
CVE-2022-49017: tipc: re-fetch skb cb after tipc_msg_validate (bsc#1232004).
CVE-2022-49020: net/9p: Fix a potential socket leak in p9_socket_open (bsc#1232175).
CVE-2024-26782: mptcp: fix double-free on socket dismantle (bsc#1222590).
CVE-2024-26906: Fixed invalid vsyscall page read for copy_from_kernel_nofault() (bsc#1223202).
CVE-2024-26953: net: esp: fix bad handling of pages from page_pool (bsc#1223656).
CVE-2024-35888: erspan: make sure erspan_base_hdr is present in skb->head (bsc#1224518).
CVE-2024-35937: wifi: cfg80211: check A-MSDU format more carefully (bsc#1224526).
CVE-2024-36244: net/sched: taprio: extend minimum interval restriction to entire cycle too (bsc#1226797).
CVE-2024-36883: net: fix out-of-bounds access in ops_init (bsc#1225725).
CVE-2024-36886: tipc: fix UAF in error path (bsc#1225730).
CVE-2024-36905: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets (bsc#1225742).
CVE-2024-36954: tipc: fix a possible memleak in tipc_buf_append (bsc#1225764).
CVE-2024-36957: octeontx2-af: avoid off-by-one read from userspace (bsc#1225762).
CVE-2024-38589: netrom: fix possible dead-lock in nr_rt_ioctl() (bsc#1226748).
CVE-2024-38615: cpufreq: exit() callback is optional (bsc#1226592).
CVE-2024-39476: md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING (bsc#1227437).
CVE-2024-40965: i2c: lpi2c: Avoid calling clk_get_rate during transfer (bsc#1227885).
CVE-2024-40997: cpufreq: amd-pstate: fix memory leak on CPU EPP exit (bsc#1227853).
CVE-2024-41023: sched/deadline: Fix task_struct reference leak (bsc#1228430).
CVE-2024-42226: Prevent potential failure in handle_tx_event() for Transfer events without TRB (bsc#1228709).
CVE-2024-42253: gpio: pca953x: fix pca953x_irq_bus_sync_unlock race (bsc#1229005).
CVE-2024-44931: gpio: prevent potential speculation leaks in gpio_device_get_desc() (bsc#1229837).
CVE-2024-44932: idpf: fix UAFs when destroying the queues (bsc#1229808).
CVE-2024-44958: sched/smt: Fix unbalance sched_smt_present dec/inc (bsc#1230179).
CVE-2024-44964: idpf: fix memory leaks and crashes while performing a soft reset (bsc#1230220).
CVE-2024-44995: net: hns3: fix a deadlock problem when config TC during resetting (bsc#1230231).
CVE-2024-45016: netem: fix return value if duplicate enqueue fails (bsc#1230429).
CVE-2024-45025: fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE (bsc#1230456).
CVE-2024-46678: bonding: change ipsec_lock from spin lock to mutex (bsc#1230550).
CVE-2024-46681: pktgen: use cpus_read_lock() in pg_net_init() (bsc#1230558).
CVE-2024-46716: dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor (bsc#1230715).
CVE-2024-46754: bpf: Remove tst_run from lwt_seg6local_prog_ops (bsc#1230801).
CVE-2024-46770: ice: Add netif_device_attach/detach into PF reset flow (bsc#1230763).
CVE-2024-46775: drm/amd/display: Validate function returns (bsc#1230774).
CVE-2024-46777: udf: Avoid excessive partition lengths (bsc#1230773).
CVE-2024-46800: sch/netem: fix use after free in netem_dequeue (bsc#1230827).
CVE-2024-46809: drm/amd/display: Check BIOS images before it is used (bsc#1231148).
CVE-2024-46811: drm/amd/display: Fix index may exceed array range within fpu_update_bw_bounding_box (bsc#1231179).
CVE-2024-46813: drm/amd/display: Check link_index before accessing dc->links (bsc#1231191).
CVE-2024-46814: drm/amd/display: Check msg_id before processing transcation (bsc#1231193).
CVE-2024-46815: drm/amd/display: Check num_valid_sets before accessing reader_wm_sets (bsc#1231195).
CVE-2024-46816: drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links (bsc#1231197).
CVE-2024-46817: drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 (bsc#1231200).
CVE-2024-46818: drm/amd/display: Check gpio_id before used as array index (bsc#1231203).
CVE-2024-46826: ELF: fix kernel.randomize_va_space double read (bsc#1231115).
CVE-2024-46828: uprobes: fix kernel info leak via '[uprobes]' vma (bsc#1231114).
CVE-2024-46834: ethtool: fail closed if we can't get max channel used in indirection tables (bsc#1231096).
CVE-2024-46840: btrfs: clean up our handling of refs == 0 in snapshot delete (bsc#1231105).
CVE-2024-46841: btrfs: do not BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() (bsc#1231094).
CVE-2024-46848: perf/x86/intel: Limit the period on Haswell (bsc#1231072).
CVE-2024-46849: ASoC: meson: axg-card: fix 'use-after-free' (bsc#1231073).
CVE-2024-46854: net: dpaa: Pad packets to ETH_ZLEN (bsc#1231084).
CVE-2024-46855: netfilter: nft_socket: fix sk refcount leaks (bsc#1231085).
CVE-2024-46857: net/mlx5: Fix bridge mode operations when there are no VFs (bsc#1231087).
CVE-2024-47660: fsnotify: clear PARENT_WATCHED flags lazily (bsc#1231439).
CVE-2024-47661: drm/amd/display: Avoid overflow from uint32_t to uint8_t (bsc#1231496).
CVE-2024-47664: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware (bsc#1231442).
CVE-2024-47668: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() (bsc#1231502).
CVE-2024-47672: wifi: iwlwifi: mvm: do not wait for tx queues if firmware is dead (bsc#1231540).
CVE-2024-47673: wifi: iwlwifi: mvm: pause TCM when the firmware is stopped (bsc#1231539).
CVE-2024-47674: mm: avoid leaving partial pfn mappings around in error case (bsc#1231673).
CVE-2024-47679: vfs: fix race between evice_inodes() and find_inode()&iput() (bsc#1231930).
CVE-2024-47684: tcp: check skb is non-NULL in tcp_rto_delta_us() (bsc#1231987).
CVE-2024-47685: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() (bsc#1231998).
CVE-2024-47692: nfsd: return -EINVAL when namelen is 0 (bsc#1231857).
CVE-2024-47701: ext4: explicitly exit when ext4_find_inline_entry returns an error (bsc#1231920).
CVE-2024-47704: drm/amd/display: Check link_res->hpo_dp_link_enc before using it (bsc#1231944).
CVE-2024-47705: block: fix potential invalid pointer dereference in blk_add_partition (bsc#1231872).
CVE-2024-47706: block, bfq: fix possible UAF for bfqq->bic with merge chain (bsc#1231942).
CVE-2024-47707: ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() (bsc#1231935).
CVE-2024-47710: sock_map: Add a cond_resched() in sock_hash_free() (bsc#1232049).
CVE-2024-47720: drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func (bsc#1232043).
CVE-2024-47727: x86/tdx: Fix 'in-kernel MMIO' check (bsc#1232116).
CVE-2024-47730: crypto: hisilicon/qm - inject error before stopping queue (bsc#1232075).
CVE-2024-47738: wifi: mac80211: do not use rate mask for offchannel TX either (bsc#1232114).
CVE-2024-47739: padata: use integer wrap around to prevent deadlock on seq_nr overflow (bsc#1232124).
CVE-2024-47745: mm: split critical region in remap_file_pages() and invoke LSMs in between (bsc#1232135).
CVE-2024-47747: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition (bsc#1232145).
CVE-2024-47748: vhost_vdpa: assign irq bypass producer token correctly (bsc#1232174).
CVE-2024-47757: nilfs2: fix potential oob read in nilfs_btree_check_delete() (bsc#1232187).
CVE-2024-49858: efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption (bsc#1232251).
CVE-2024-49860: ACPI: sysfs: validate return type of _STR method (bsc#1231861).
CVE-2024-49866: tracing/timerlat: Fix a race during cpuhp processing (bsc#1232259).
CVE-2024-49868: btrfs: fix a NULL pointer dereference when failed to start a new trasacntion (bsc#1232272).
CVE-2024-49881: ext4: update orig_path in ext4_find_extent() (bsc#1232201).
CVE-2024-49882: ext4: fix double brelse() the buffer of the extents path (bsc#1232200).
CVE-2024-49883: ext4: aovid use-after-free in ext4_ext_insert_extent() (bsc#1232199).
CVE-2024-49886: platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug (bsc#1232196).
CVE-2024-49890: drm/amd/pm: ensure the fw_info is not null before using it (bsc#1232217).
CVE-2024-49892: drm/amd/display: Initialize get_bytes_per_element's default to 1 (bsc#1232220).
CVE-2024-49896: drm/amd/display: Check stream before comparing them (bsc#1232221).
CVE-2024-49897: drm/amd/display: Check phantom_stream before it is used (bsc#1232355).
CVE-2024-49899: drm/amd/display: Initialize denominators' default to 1 (bsc#1232358).
CVE-2024-49901: drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs (bsc#1232305).
CVE-2024-49906: drm/amd/display: Check null pointer before try to access it (bsc#1232332).
CVE-2024-49909: drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func (bsc#1232337).
CVE-2024-49911: drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func (bsc#1232366).
CVE-2024-49914: drm/amd/display: Add null check for pipe_ctx->plane_state in (bsc#1232369).
CVE-2024-49917: drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw (bsc#1231965).
CVE-2024-49918: drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer (bsc#1231967).
CVE-2024-49919: drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer (bsc#1231968).
CVE-2024-49920: drm/amd/display: Check null pointers before multiple uses (bsc#1232313).
CVE-2024-49921: drm/amd/display: Check null pointers before used (bsc#1232371).
CVE-2024-49922: drm/amd/display: Check null pointers before using them (bsc#1232374).
CVE-2024-49923: drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags (bsc#1232361).
CVE-2024-49925: fbdev: efifb: Register sysfs groups through driver core (bsc#1232224)
CVE-2024-49929: wifi: iwlwifi: mvm: avoid NULL pointer dereference (bsc#1232253).
CVE-2024-49930: wifi: ath11k: fix array out-of-bound access in SoC stats (bsc#1232260).
CVE-2024-49933: blk_iocost: fix more out of bound shifts (bsc#1232368).
CVE-2024-49934: fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name (bsc#1232387).
CVE-2024-49936: net/xen-netback: prevent UAF in xenvif_flush_hash() (bsc#1232424).
CVE-2024-49939: wifi: rtw89: avoid to add interface to list twice when SER (bsc#1232381).
CVE-2024-49945: net/ncsi: Disable the ncsi work before freeing the associated structure (bsc#1232165).
CVE-2024-49946: ppp: do not assume bh is held in ppp_channel_bridge_input() (bsc#1232164).
CVE-2024-49949: net: avoid potential underflow in qdisc_pkt_len_init() with UFO (bsc#1232160).
CVE-2024-49950: Bluetooth: L2CAP: Fix uaf in l2cap_connect (bsc#1232159).
CVE-2024-49954: static_call: Replace pointless WARN_ON() in static_call_module_notify() (bsc#1232155).
CVE-2024-49955: ACPI: battery: Fix possible crash when unregistering a battery hook (bsc#1232154).
CVE-2024-49958: ocfs2: reserve space for inline xattr before attaching reflink tree (bsc#1232151).
CVE-2024-49959: jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error (bsc#1232149).
CVE-2024-49960: ext4: fix timer use-after-free on failed mount (bsc#1232395).
CVE-2024-49967: ext4: no need to continue when the number of entries is 1 (bsc#1232140).
CVE-2024-49968: ext4: fix error message when rejecting the default hash (bsc#1232264).
CVE-2024-49969: drm/amd/display: Fix index out of bounds in DCN30 color transformation (bsc#1232519).
CVE-2024-49973: r8169: add tally counter fields added with RTL8125 (bsc#1232105).
CVE-2024-49974: NFSD: Force all NFSv4.2 COPY requests to be synchronous (bsc#1232383).
CVE-2024-49975: uprobes: fix kernel info leak via '[uprobes]' vma (bsc#1232104).
CVE-2024-49983: ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free (bsc#1232096).
CVE-2024-49989: drm/amd/display: fix double free issue during amdgpu module unload (bsc#1232483).
CVE-2024-49991: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer (bsc#1232282).
CVE-2024-49993: iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count (bsc#1232316).
CVE-2024-49995: tipc: guard against string buffer overrun (bsc#1232432).
CVE-2024-49996: cifs: Fix buffer overflow when parsing NFS reparse points (bsc#1232089).
CVE-2024-50000: net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() (bsc#1232085).
CVE-2024-50001: net/mlx5: Fix error path in multi-packet WQE transmit (bsc#1232084).
CVE-2024-50002: static_call: Handle module init failure correctly in static_call_del_module() (bsc#1232083).
CVE-2024-50006: ext4: fix i_data_sem unlock order in ext4_ind_migrate() (bsc#1232442).
CVE-2024-50009: cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value (bsc#1232318).
CVE-2024-50014: ext4: fix access to uninitialised lock in fc replay path (bsc#1232446).
CVE-2024-50019: kthread: unpark only parked kthread (bsc#1231990).
CVE-2024-50024: net: Fix an unsafe loop on the list (bsc#1231954).
CVE-2024-50028: thermal: core: Reference count the zone in thermal_zone_get_by_id() (bsc#1231950).
CVE-2024-50033: slip: make slhc_remember() more robust against malicious packets (bsc#1231914).
CVE-2024-50035: ppp: fix ppp_async_encode() illegal access (bsc#1232392).
CVE-2024-50041: i40e: Fix macvlan leak by synchronizing access to mac_filter_hash (bsc#1231907).
CVE-2024-50045: netfilter: br_netfilter: fix panic with metadata_dst skb (bsc#1231903).
CVE-2024-50046: kabi fix for NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies() (bsc#1231902).
CVE-2024-50047: smb: client: fix UAF in async decryption (bsc#1232418).
CVE-2024-50048: fbcon: Fix a NULL pointer dereference issue in fbcon_putcs (bsc#1232310).
CVE-2024-50055: driver core: bus: Fix double free in driver API bus_register() (bsc#1232329).
CVE-2024-50058: serial: protect uart_port_dtr_rts() in uart_shutdown() too (bsc#1232285).
CVE-2024-50059: ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition (bsc#1232345).
CVE-2024-50061: i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition (bsc#1232263).
CVE-2024-50063: kABI: bpf: struct bpf_map kABI workaround (bsc#1232435).
CVE-2024-50073: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux (bsc#1232520).
CVE-2024-50081: blk-mq: setup queue ->tag_set before initializing hctx (bsc#1232501).
CVE-2024-50082: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race (bsc#1232500).
CVE-2024-50089: unicode: Do not special case ignorable code points (bsc#1232860).
CVE-2024-50093: thermal: intel: int340x: processor: Fix warning during module unload (bsc#1232877).
CVE-2024-50098: scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down (bsc#1232881).
CVE-2024-50108: drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too (bsc#1232884).
CVE-2024-50110: xfrm: fix one more kernel-infoleak in algo dumping (bsc#1232885).
CVE-2024-50115: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory (bsc#1232919).
CVE-2024-50125: Bluetooth: SCO: Fix UAF on sco_sock_timeout (bsc#1232928).
CVE-2024-50127: net: sched: fix use-after-free in taprio_change() (bsc#1232907).
CVE-2024-50128: net: wwan: fix global oob in wwan_rtnl_policy (bsc#1232905).
CVE-2024-50134: drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape (bsc#1232890).
CVE-2024-50135: nvme-pci: fix race condition between reset and nvme_dev_disable() (bsc#1232888).
CVE-2024-50138: bpf: Use raw_spinlock_t in ringbuf (bsc#1232935).
CVE-2024-50146: net/mlx5e: Do not call cleanup on profile rollback failure (bsc#1233056).
CVE-2024-50147: net/mlx5: Fix command bitmask initialization (bsc#1233067).
CVE-2024-50153: scsi: target: core: Fix null-ptr-deref in target_alloc_device() (bsc#1233061).
CVE-2024-50154: tcp: Fix use-after-free of nreq in reqsk_timer_handler() (bsc#1233070).
CVE-2024-50167: be2net: fix potential memory leak in be_xmit() (bsc#1233049).
CVE-2024-50171: net: systemport: fix potential memory leak in bcm_sysport_xmit() (bsc#1233057).
CVE-2024-50182: secretmem: disable memfd_secret() if arch cannot set direct map (bsc#1233129).
CVE-2024-50184: virtio_pmem: Check device status before requesting flush (bsc#1233135).
CVE-2024-50186: net: explicitly clear the sk pointer, when pf->create fails (bsc#1233110).
CVE-2024-50188: net: phy: dp83869: fix memory corruption when enabling fiber (bsc#1233107).
CVE-2024-50192: irqchip/gic-v4: Correctly deal with set_affinity on lazily-mapped VPEs (bsc#1233106).
CVE-2024-50195: posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() (bsc#1233103).
CVE-2024-50196: pinctrl: ocelot: fix system hang on level based interrupts (bsc#1233113).
CVE-2024-50205: ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() (bsc#1233293).
CVE-2024-50208: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages (bsc#1233117).
CVE-2024-50229: nilfs2: fix potential deadlock with newly created symlinks (bsc#1233205).
CVE-2024-50230: nilfs2: fix kernel bug due to missing clearing of checked flag (bsc#1233206).
CVE-2024-50259: netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() (bsc#1233214).
CVE-2024-50261: macsec: Fix use-after-free while sending the offloading packet (bsc#1233253).
CVE-2024-50264: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans (bsc#1233453).
CVE-2024-50267: usb: serial: io_edgeport: fix use after free in debug printk (bsc#1233456).
CVE-2024-50271: signal: restore the override_rlimit logic (bsc#1233460).
CVE-2024-50273: btrfs: reinitialize delayed ref list after deleting it from the list (bsc#1233462).
CVE-2024-50274: idpf: avoid vport access in idpf_get_link_ksettings (bsc#1233463).
CVE-2024-50279: dm cache: fix out-of-bounds access to the dirty bitset when resizing (bsc#1233468).
CVE-2024-50289: media: av7110: fix a spectre vulnerability (bsc#1233478).
CVE-2024-50295: net: arc: fix the device for dma_map_single/dma_unmap_single (bsc#1233484).
CVE-2024-50298: net: enetc: allocate vf_state during PF probes (bsc#1233487).
CVE-2024-53052: io_uring/rw: fix missing NOWAIT check for O_DIRECT start write (bsc#1233548).
CVE-2024-53058: net: stmmac: TSO: Fix unbalanced DMA map/unmap for non-paged SKB data (bsc#1233552).
CVE-2024-53061: media: s5p-jpeg: prevent buffer overflows (bsc#1233555).
CVE-2024-53063: media: dvbdev: prevent the risk of out of memory access (bsc#1233557).
CVE-2024-53068: firmware: arm_scmi: Fix slab-use-after-free in scmi_bus_notifier() (bsc#1233561).
CVE-2024-53079: mm/thp: fix deferred split unqueue naming and locking (bsc#1233570).
CVE-2024-53088: i40e: fix race condition by adding filter's intermediate sync state (bsc#1233580).
CVE-2024-53104: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format (bsc#1234025).
CVE-2024-53110: vp_vdpa: fix id_table array not null terminated error (bsc#1234085).

The following non-security bugs were fixed:

acpi: battery: Call power_supply_changed() when adding hooks (bsc#1232154)
acpi: battery: Simplify battery hook locking (bsc#1232154)
acpi: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue (stable-fixes).
acpi: CPPC: Fix _CPC register setting issue (git-fixes).
acpi: CPPC: Make rmw_lock a raw_spin_lock (git-fixes).
acpi: EC: Do not release locks during operation region accesses (stable-fixes).
acpi: PAD: fix crash in exit_round_robin() (stable-fixes).
acpi: PRM: Clean up guid type in struct prm_handler_info (git-fixes).
acpi: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context (git-fixes).
acpi: resource: Add another DMI match for the TongFang GMxXGxx (stable-fixes).
acpi: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[] (stable-fixes).
acpi: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] (stable-fixes).
acpi: resource: Add LG 16T90SP to irq1_level_low_skip_override[] (stable-fixes).
acpica: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() (stable-fixes).
acpica: Fix memory leak if acpi_ps_get_next_field() fails (stable-fixes).
acpica: Fix memory leak if acpi_ps_get_next_namepath() fails (stable-fixes).
acpica: iasl: handle empty connection_node (stable-fixes).
ad7780: fix division by zero in ad7780_write_raw() (git-fixes).
adapt same struct naming as similar kABI workaround in SLE15-SP6 (prefixed with 'suse_' to make it more obvious its a downstream thing.
add bug reference for a mana change (bsc#1229769).
add bug references to existing mana changes (bsc#1232033, bsc#1232034, bsc#1232036).
add bugreference to a hv_netvsc patch (bsc#1232413).
afs: Revert 'afs: Hide silly-rename files from userspace' (git-fixes).
alsa: 6fire: Release resources at card release (git-fixes).
alsa: ac97: bus: Fix the mistake in the comment (git-fixes).
alsa: asihpi: Fix potential OOB array access (stable-fixes).
alsa: caiaq: Use snd_card_free_when_closed() at disconnection (git-fixes).
alsa: core: add isascii() check to card ID generator (stable-fixes).
alsa: firewire-lib: Avoid division by zero in apply_constraint_to_size() (git-fixes).
alsa: firewire-lib: fix return value on fail in amdtp_tscm_init() (git-fixes).
alsa: hda: cs35l41: fix module autoloading (git-fixes).
alsa: hda: Fix kctl->id initialization (git-fixes).
alsa: hda/conexant - Fix audio routing for HP EliteOne 1000 G2 (stable-fixes).
alsa: hda/conexant - Use cached pin control for Node 0x1d on HP EliteOne 1000 G2 (git-fixes).
alsa: hda/conexant: Fix conflicting quirk for System76 Pangolin (git-fixes).
alsa: hda/cs8409: Fix possible NULL dereference (git-fixes).
alsa: hda/generic: Unconditionally prefer preferred_dacs pairs (git-fixes).
alsa: hda/realtek - Fixed ALC256 headphone no sound (stable-fixes).
alsa: hda/realtek - FIxed ALC285 headphone no sound (stable-fixes).
alsa: hda/realtek - Fixed Clevo platform headset Mic issue (stable-fixes).
alsa: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 (stable-fixes).
alsa: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 (stable-fixes).
alsa: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 (stable-fixes).
alsa: hda/realtek: Fix headset mic on TUXEDO Gemini 17 Gen3 (stable-fixes).
alsa: hda/realtek: Fix headset mic on TUXEDO Stellaris 16 Gen6 mb1 (stable-fixes).
alsa: hda/realtek: fix mute/micmute LEDs for a HP EliteBook 645 G10 (stable-fixes).
alsa: hda/realtek: Fix the push button function for the ALC257 (git-fixes).
alsa: hda/realtek: Limit internal Mic boost on Dell platform (stable-fixes).
alsa: hda/realtek: Update ALC225 depop procedure (git-fixes).
alsa: hda/realtek: Update ALC256 depop procedure (git-fixes).
alsa: hda/realtek: Update default depop procedure (git-fixes).
alsa: hdsp: Break infinite MIDI input flush loop (stable-fixes).
alsa: line6: add hw monitor volume control to POD HD500X (stable-fixes).
alsa: mixer_oss: Remove some incorrect kfree_const() usages (git-fixes).
alsa: us122l: Use snd_card_free_when_closed() at disconnection (git-fixes).
alsa: usb-audio: Add delay quirk for VIVO USB-C HEADSET (stable-fixes).
alsa: usb-audio: Add input value sanity checks for standard types (stable-fixes).
alsa: usb-audio: Add logitech Audio profile quirk (stable-fixes).
alsa: usb-audio: Add native DSD support for Luxman D-08u (stable-fixes).
alsa: usb-audio: Add quirk for HP 320 FHD Webcam (stable-fixes).
alsa: usb-audio: Add quirks for Dell WD19 dock (stable-fixes).
alsa: usb-audio: Define macros for quirk table entries (stable-fixes).
alsa: usb-audio: Replace complex quirk lines with macros (stable-fixes).
alsa: usx2y: Use snd_card_free_when_closed() at disconnection (git-fixes).
amd-pstate: Set min_perf to nominal_perf for active mode performance gov (git-fixes).
arm64: cputype: Add Neoverse-N3 definitions (git-fixes)
arm64: dts: imx8mp: correct sdhc ipg clk (git-fixes).
arm64: dts: rockchip: override BIOS_DISABLE signal via GPIO hog on RK3399 Puma (git-fixes).
arm64: errata: Expand speculative SSBS workaround once more (git-fixes)
arm64: esr: Define ESR_ELx_EC_* constants as UL (git-fixes)
arm64: fix .data.rel.ro size assertion when CONFIG_LTO_CLANG (git-fixes)
arm64: Force position-independent veneers (git-fixes).
arm64: probes: Fix simulate_ldr*_literal() (git-fixes)
arm64: probes: Fix uprobes for big-endian kernels (git-fixes)
arm64: probes: Remove broken LDR (literal) uprobe support (git-fixes)
arm64: smccc: Remove broken support for SMCCCv1.3 SVE discard hint (git-fixes)
arm64: smccc: replace custom COUNT_ARGS() & CONCATENATE() (git-fixes)
arm64: tls: Fix context-switching of tpidrro_el0 when kpti is enabled (git-fixes)
arm64:uprobe fix the uprobe SWBP_INSN in big-endian (git-fixes)
arm64/sve: Discard stale CPU state when handling SVE traps (git-fixes)
asoc: allow module autoloading for table db1200_pids (stable-fixes).
asoc: amd: yc: Fix for enabling DMIC on acp6x via _DSD entry (git-fixes).
asoc: codecs: Fix atomicity violation in snd_soc_component_get_drvdata() (git-fixes).
asoc: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values (stable-fixes).
asoc: cs42l51: Fix some error handling paths in cs42l51_probe() (git-fixes).
asoc: fsl_sai: Enable 'FIFO continue on error' FCONT bit (stable-fixes).
asoc: imx-card: Set card.owner to avoid a warning calltrace if SND=m (git-fixes).
asoc: intel: fix module autoloading (stable-fixes).
asoc: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() (git-fixes).
asoc: qcom: sm8250: add qrb4210-rb2-sndcard compatible string (stable-fixes).
asoc: rt5682: Return devm_of_clk_add_hw_provider to transfer the error (git-fixes).
asoc: soc-pcm: Do not zero TDM masks in __soc_pcm_open() (git-fixes).
asoc: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove (git-fixes).
asoc: tda7419: fix module autoloading (stable-fixes).
blk-throttle: Fix io statistics for cgroup v1 (bsc#1233528).
block: Avoid leaking hctx->nr_active counter on batched completion (bsc#1231923).
block: print symbolic error name instead of error code (bsc#1231872).
bluetooth: bnep: fix wild-memory-access in proto_unregister (git-fixes).
bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
bluetooth: btusb: Fix regression with fake CSR controllers 0a12:0001 (git-fixes).
bluetooth: Call iso_exit() on module unload (git-fixes).
bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE (git-fixes).
bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs (git-fixes).
bluetooth: ISO: Fix multiple init when debugfs is disabled (git-fixes).
bluetooth: MGMT: Fix slab-use-after-free Read in set_powered_sync (git-fixes).
bluetooth: Remove debugfs directory on module init failure (git-fixes).
bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change (git-fixes).
bnxt_en: Fix the PCI-AER routines (git-fixes).
bnxt_en: refactor reset close code (git-fixes).
bnxt_en: Remove mis-applied code from bnxt_cfg_ntp_filters() (git-fixes).
bnxt_en: Reserve rings after PCIe AER recovery if NIC interface is down (git-fixes).
bnxt_en: Reset PTP tx_avail after possible firmware reset (git-fixes).
bnxt_en: Restore PTP tx_avail count in case of skb_pad() error (git-fixes).
bnxt_en: Wait for FLR to complete during probe (git-fixes).
bpf, lsm: Add disabled BPF LSM hook list (git-fixes).
bpf, net: Fix a potential race in do_sock_getsockopt() (git-fixes).
bpf, verifier: Correct tail_call_reachable for bpf prog (git-fixes).
bpf, x64: Remove tail call detection (git-fixes).
bpf,perf: Fix perf_event_detach_bpf_prog error handling (git-fixes).
bpf: Add --skip_encoding_btf_inconsistent_proto, --btf_gen_optimized to pahole flags for v1.25 (bsc#1230414 bsc#1229450).
bpf: Allow helpers to accept pointers with a fixed size (git-fixes).
bpf: Check for helper calls in check_subprogs() (git-fixes).
bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos (git-fixes).
bpf: Fix bpf_strtol and bpf_strtoul helpers for 32bit (git-fixes).
bpf: Fix helper writes to read-only maps (git-fixes).
bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation (bsc#1231375).
bpf: Fix tailcall cases in test_bpf (git-fixes).
bpf: Improve check_raw_mode_ok test for MEM_UNINIT-tagged types (git-fixes).
bpf: Remove truncation test in bpf_strtol and bpf_strtoul helpers (git-fixes).
bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error (git-fixes).
btf, scripts: Exclude Rust CUs with pahole (bsc#1230414 bsc#1229450).
bus: integrator-lm: fix OF node leak in probe() (git-fixes).
can: c_can: c_can_handle_bus_err(): update statistics if skb allocation fails (git-fixes).
can: c_can: fix {rx,tx}_errors statistics (git-fixes).
can: ems_usb: ems_usb_rx_err(): fix {rx,tx}_errors statistics (git-fixes).
can: ifi_canfd: ifi_canfd_handle_lec_err(): fix {rx,tx}_errors statistics (git-fixes).
can: j1939: j1939_session_new(): fix skb reference counting (git-fixes).
can: m_can: m_can_handle_lec_err(): fix {rx,tx}_errors statistics (git-fixes).
can: sun4i_can: sun4i_can_err(): call can_change_state() even if cf is NULL (git-fixes).
can: sun4i_can: sun4i_can_err(): fix {rx,tx}_errors statistics (git-fixes).
ceph: fix cap ref leak via netfs init_request (bsc#1231383).
cgroup/bpf: only cgroup v2 can be attached by bpf programs (bsc#1234108).
char: tpm: Fix possible memory leak in tpm_bios_measurements_open() (git-fixes).
chtls: fix tp->rcv_tstamp initialization (git-fixes).
clk: Add a devm variant of clk_rate_exclusive_get() (bsc#1227885).
clk: Provide !COMMON_CLK dummy for devm_clk_rate_exclusive_get() (bsc#1227885).
comedi: Flush partial mappings in error case (git-fixes).
comedi: ni_routing: tools: Check when the file could not be opened (stable-fixes).
cpufreq/amd-pstate: Fix amd_pstate mode switch on shared memory systems (git-fixes).
crypto: bcm - add error check in the ahash_hmac_init function (git-fixes).
crypto: caam - add error check to caam_rsa_set_priv_key_form (git-fixes).
crypto: caam - Fix the pointer passed to caam_qi_shutdown() (git-fixes).
crypto: cavium - Fix an error handling path in cpt_ucode_load_fw() (git-fixes).
crypto: cavium - Fix the if condition to exit loop after timeout (git-fixes).
crypto: hisilicon - Remove pci_aer_clear_nonfatal_status() call (bsc#1232075)
crypto: hisilicon/qm - re-enable communicate interrupt before notifying PF (bsc#1232075)
crypto: inside-secure - Fix the return value of safexcel_xcbcmac_cra_init() (git-fixes).
crypto: x86/aegis128 - access 32-bit arguments as 32-bit (git-fixes).
cxgb4: add forgotten u64 ivlan cast before shift (git-fixes).
cxgb4: Properly lock TX queue for the selftest (git-fixes).
cxgb4: unnecessary check for 0 in the free_sge_txq_uld() function (git-fixes).
debugfs: fix automount d_fsdata usage (git-fixes).
dn_route: set rt neigh to blackhole_netdev instead of loopback_dev in ifdown (bsc#1216813).
drbd: Add NULL check for net_conf to prevent dereference in state validation (git-fixes).
drbd: Fix atomicity violation in drbd_uuid_set_bm() (git-fixes).
driver core: bus: Return -EIO instead of 0 when show/store invalid bus attribute (stable-fixes).
drivers: net: prevent tun_build_skb() to exceed the packet size limit (git-fixes).
drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS (git-fixes).
drm: komeda: Fix an issue related to normalized zpos (stable-fixes).
drm/amd: Fix initialization mistake for NBIO 7.7.0 (stable-fixes).
drm/amd: Guard against bad data for ATIF ACPI method (git-fixes).
drm/amd/amdgpu: Fix double unlock in amdgpu_mes_add_ring (git-fixes).
drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) (stable-fixes).
drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream (stable-fixes).
drm/amd/display: Allow backlight to go below AMDGPU_DM_DEFAULT_MIN_BACKLIGHT (stable-fixes).
drm/amd/display: Check link_res->hpo_dp_link_enc before using it (bsc#1231944)
drm/amd/display: Check null pointer before dereferencing se (stable-fixes).
drm/amd/display: Check null pointers before using dc->clk_mgr (stable-fixes).
drm/amd/display: Check stream before comparing them (stable-fixes).
drm/amd/display: Fix index out of bounds in DCN30 color transformation (stable-fixes).
drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation (stable-fixes).
drm/amd/display: Fix index out of bounds in degamma hardware format translation (stable-fixes).
drm/amd/display: Fix Synaptics Cascaded Panamera DSC Determination (stable-fixes).
drm/amd/display: Fix system hang while resume with TBT monitor (stable-fixes).
drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' (stable-fixes).
drm/amd/display: Initialize get_bytes_per_element's default to 1 (stable-fixes).
drm/amd/display: Round calculated vtotal (stable-fixes).
drm/amd/display: Validate backlight caps are sane (stable-fixes).
drm/amd/pm: ensure the fw_info is not null before using it (stable-fixes).
drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() (stable-fixes).
drm/amdgpu: add raven1 gfxoff quirk (stable-fixes).
drm/amdgpu: Adjust debugfs eviction and IB access permissions (stable-fixes).
drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit (stable-fixes).
drm/amdgpu: enable gfxoff quirk on HP 705G4 (stable-fixes).
drm/amdgpu: fix unchecked return value warning for amdgpu_gfx (stable-fixes).
drm/amdgpu: prevent BO_HANDLES error from being overwritten (git-fixes).
drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported (git-fixes).
drm/amdgpu: properly handle vbios fake edid sizing (git-fixes).
drm/amdgpu: Replace one-element array with flexible-array member (stable-fixes).
drm/amdkfd: Fix resource leak in criu restore queue (stable-fixes).
drm/bridge: anx7625: Drop EDID cache on bridge power off (git-fixes).
drm/bridge: tc358767: Fix link properties discovery (git-fixes).
drm/bridge: tc358768: Fix DSI command tx (git-fixes).
drm/etnaviv: Request pages from DMA32 zone on addressing_limited (git-fixes).
drm/imx/dcss: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
drm/mm: Mark drm_mm_interval_tree*() functions with __maybe_unused (git-fixes).
drm/msm: Allocate memory for disp snapshot with kvzalloc() (git-fixes).
drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() (git-fixes).
drm/msm/adreno: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
drm/msm/dpu: cast crtc_clk calculation to u64 in _dpu_core_perf_calc_clk() (git-fixes).
drm/msm/dpu: do not always program merge_3d block (git-fixes).
drm/msm/dpu: make sure phys resources are properly initialized (git-fixes).
drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation (git-fixes).
drm/omap: Fix locking in omap_gem_new_dmabuf() (git-fixes).
drm/omap: Fix possible NULL dereference (git-fixes).
drm/panfrost: Remove unused id_mask from struct panfrost_model (git-fixes).
drm/printer: Allow NULL data in devcoredump printer (stable-fixes).
drm/radeon: Fix encoder->possible_clones (git-fixes).
drm/radeon: properly handle vbios fake edid sizing (git-fixes).
drm/radeon: Replace one-element array with flexible-array member (stable-fixes).
drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() (stable-fixes).
drm/rockchip: define gamma registers for RK3399 (stable-fixes).
drm/rockchip: support gamma control on RK3399 (stable-fixes).
drm/rockchip: vop: Fix a dereferenced before check warning (git-fixes).
drm/sched: Add locking to drm_sched_entity_modify_sched (git-fixes).
drm/sti: avoid potential dereference of error pointers (git-fixes).
drm/sti: avoid potential dereference of error pointers in sti_gdp_atomic_check (git-fixes).
drm/sti: avoid potential dereference of error pointers in sti_hqvdp_atomic_check (git-fixes).
drm/v3d: Address race-condition in MMU flush (git-fixes).
drm/v3d: Stop the active perfmon before being destroyed (git-fixes).
drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA (stable-fixes).
drm/vc4: hvs: Do not write gamma luts on 2711 (git-fixes).
drm/vc4: hvs: Fix dlist debug not resetting the next entry pointer (git-fixes).
drm/vc4: hvs: Remove incorrect limit from hvs_dlist debugfs function (git-fixes).
drm/vc4: Stop the active perfmon before being destroyed (git-fixes).
drm/vmwgfx: Handle surface check failure correctly (git-fixes).
drm/vmwgfx: Limit display layout ioctl array size to VMWGFX_NUM_DISPLAY_UNITS (stable-fixes).
drop HD-audio conexant patch that caused a regression on Thinkpad (bsc#1228269)
Drop OCFS2 patch causing a regression (bsc#1233255)
drop USB dwc2 patch that caused a regression on RPi3 (bsc#1232342)
e1000e: Fix S0ix residency on corporate systems (git-fixes).
efi/memattr: Ignore table if the size is clearly bogus (bsc#1231465).
efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption (stable-fixes).
erofs: avoid consecutive detection for Highmem memory (git-fixes).
erofs: avoid infinite loop in z_erofs_do_read_page() when reading beyond EOF (git-fixes).
erofs: fix pcluster use-after-free on UP platforms (git-fixes).
erofs: fix potential overflow calculating xattr_isize (git-fixes).
erofs: stop parsing non-compact HEAD index if clusterofs is invalid (git-fixes).
eth: bnxt: fix counting packets discarded due to OOM and netpoll (git-fixes).
exportfs: use pr_debug for unreachable debug statements (git-fixes).
ext4: fix slab-use-after-free in ext4_split_extent_at() (bsc#1232201)
fat: fix uninitialized variable (git-fixes).
fbdev: pxafb: Fix possible use after free in pxafb_task() (stable-fixes).
fbdev: sisfb: Fix strbuf array overflow (stable-fixes).
fgraph: Change the name of cpuhp state to 'fgraph:online' (git-fixes).
fgraph: Fix missing unlock in register_ftrace_graph() (git-fixes).
fgraph: Use CPU hotplug mechanism to initialize idle shadow stacks (git-fixes).
filelock: fix potential use-after-free in posix_lock_inode (git-fixes).
firmware: google: Unregister driver_info on failure (git-fixes).
firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() (git-fixes).
Fix regression on AMDGPU driver (bsc#1233134)
fs: Fix file_set_fowner LSM hook inconsistencies (git-fixes).
fs/namespace: fnic: Switch to use %ptTd (git-fixes).
fs/pipe: Fix lockdep false-positive in watchqueue pipe_write() (git-fixes).
genirq/msi: Fix off-by-one error in msi_domain_alloc() (git-fixes).
goldfish: Fix unused const variable 'goldfish_pipe_acpi_match' (git-fixes).
gpio: aspeed: Add the flush write to ensure the write complete (git-fixes).
gpio: aspeed: Use devm_clk api to manage clock source (git-fixes).
gpio: davinci: fix lazy disable (git-fixes).
gve: Fix an edge case for TSO skb validity check (git-fixes).
gve: Fix skb truesize underestimation (git-fixes).
gve: Fix XDP TX completion handling when counters overflow (git-fixes).
gve: ignore nonrelevant GSO type bits when processing TSO headers (git-fixes).
hid: amd_sfh: Switch to device-managed dmam_alloc_coherent() (git-fixes).
hid: core: zero-initialize the report buffer (git-fixes).
hid: intel-ish-hid: Fix uninitialized variable 'rv' in ish_fw_xfer_direct_dma (git-fixes).
hid: lenovo: Add support for Thinkpad X1 Tablet Gen 3 keyboard (stable-fixes).
hid: multitouch: Add quirk for HONOR MagicBook Art 14 touchpad (stable-fixes).
hid: multitouch: Add quirk for Logitech Bolt receiver w/ Casa touchpad (stable-fixes).
hid: multitouch: Add support for B2402FVA track point (stable-fixes).
hid: multitouch: Add support for GT7868Q (stable-fixes).
hid: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio (stable-fixes).
hid: plantronics: Workaround for an unexcepted opposite volume key (stable-fixes).
hid: wacom: Defer calculation of resolution until resolution_code is known (git-fixes).
hid: wacom: fix when get product name maybe null pointer (git-fixes).
hid: wacom: Interpret tilt data from Intuos Pro BT as signed values (git-fixes).
hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event (git-fixes).
hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer (git-fixes).
hwmon: (adm9240) Add missing dependency on REGMAP_I2C (git-fixes).
hwmon: (tmp513) Add missing dependency on REGMAP_I2C (git-fixes).
hwmon: (tps23861) Fix reporting of negative temperatures (git-fixes).
i2c: i801: Use a different adapter-name for IDF adapters (stable-fixes).
i2c: imx-lpi2c: return -EINVAL when i2c peripheral clk does not work (bsc#1227885).
i2c: imx-lpi2c: use bulk clk API (bsc#1227885).
i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume (git-fixes).
i2c: xiic: Fix broken locking on tx_msg (stable-fixes).
i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled (git-fixes).
i2c: xiic: Fix RX IRQ busy check (stable-fixes).
i2c: xiic: improve error message when transfer fails to start (stable-fixes).
i2c: xiic: Switch from waitqueue to completion (stable-fixes).
i2c: xiic: Try re-initialization on bus busy timeout (git-fixes).
i2c: xiic: Use devm_clk_get_enabled() (stable-fixes).
i2c: xiic: xiic_xfer(): Fix runtime PM leak on error path (git-fixes).
i3c: master: Fix miss free init_dyn_addr at i3c_master_put_i3c_addrs() (git-fixes).
i40e: avoid double calling i40e_pf_rxq_wait() (git-fixes).
i40e: disable NAPI right after disabling irqs when handling xsk_pool (git-fixes).
i40e: Fix filter input checks to prevent config with invalid values (git-fixes).
i40e: fix use-after-free in i40e_aqc_add_filters() (git-fixes).
i40e: Fix waiting for queues of all VSIs to be disabled (git-fixes).
i40e: Fix XDP program unloading while removing the driver (git-fixes).
i40e: Report MFS in decimal base instead of hex (git-fixes).
i40e: Restore VF MSI-X state during PCI reset (git-fixes).
i40e: take into account XDP Tx queues when stopping rings (git-fixes).
iavf: do not process adminq tasks when __IAVF_IN_REMOVE_TASK is set (git-fixes).
iavf: fix FDIR rule fields masks validation (git-fixes).
iavf: Fix promiscuous mode configuration flow messages (git-fixes).
iavf: Fix TC config comparison with existing adapter TC config (git-fixes).
iavf: in iavf_down, disable queues when removing the driver (git-fixes).
iavf: initialize waitqueues before starting watchdog_task (git-fixes).
iavf: Introduce new state machines for flow director (git-fixes).
iavf: send VLAN offloading caps once after VFR (git-fixes).
iavf: validate tx_coalesce_usecs even if rx_coalesce_usecs is zero (git-fixes).
ibmvnic: Do partial reset on login failure (bsc#1233150).
ibmvnic: Enforce stronger sanity checks on login response (bsc#1233150).
ibmvnic: Ensure login failure recovery is safe from other resets (bsc#1233150).
ibmvnic: Handle DMA unmapping of login buffs in release functions (bsc#1233150).
ibmvnic: Unmap DMA login rsp buffer on send login fail (bsc#1233150).
ice: avoid executing commands on other ports when driving sync (git-fixes).
ice: Block switchdev mode when ADQ is active and vice versa (git-fixes).
ice: change q_index variable type to s16 to store -1 value (git-fixes).
ice: fix accounting for filters shared by multiple VSIs (git-fixes).
ice: fix accounting if a VLAN already exists (git-fixes).
ice: fix ICE_LAST_OFFSET formula (git-fixes).
ice: Fix link_down_on_close message (git-fixes).
ice: Fix netif_is_ice() in Safe Mode (git-fixes).
ice: Fix NULL pointer deref during VF reset (git-fixes).
ice: fix over-shifted variable (git-fixes).
ice: fix receive buffer size miscalculation (git-fixes).
ice: fix VLAN replay after reset (git-fixes).
ice: Fix VSI list rule with ICE_SW_LKUP_LAST type (git-fixes).
ice: ice_aq_check_events: fix off-by-one check when filling buffer (git-fixes).
ice: Interpret .set_channels() input differently (git-fixes).
ice: reset first in crash dump kernels (git-fixes).
ice: respect netif readiness in AF_XDP ZC related ndo's (git-fixes).
ice: Shut down VSI with 'link-down-on-close' enabled (git-fixes).
ice: tc: allow zero flags in parsing tc flower (git-fixes).
ice: Unbind the workqueue (bsc#1231344).
ice: virtchnl: stop pretending to support RSS over AQ or registers (git-fixes).
idpf: avoid compiler introduced padding in virtchnl2_rss_key struct (git-fixes).
idpf: avoid compiler padding in virtchnl2_ptype struct (git-fixes).
idpf: disable local BH when scheduling napi for marker packets (git-fixes).
idpf: distinguish vports by the dev_port attribute (git-fixes).
idpf: do not enable NAPI and interrupts prior to allocating Rx buffers (git-fixes).
idpf: fix corrupted frames and skb leaks in singleq mode (git-fixes).
idpf: fix memleak in vport interrupt configuration (git-fixes).
idpf: fix memory leaks and crashes while performing a soft reset (git-fixes).
idpf: fix UAFs when destroying the queues (git-fixes).
idpf: Interpret .set_channels() input differently (git-fixes).
igb: Always call igb_xdp_ring_update_tail() under Tx lock (git-fixes).
igb: extend PTP timestamp adjustments to i211 (git-fixes).
igb: Fix missing time sync events (git-fixes).
igb: Fix not clearing TimeSync interrupts for 82580 (git-fixes).
igc: Check VLAN EtherType mask (git-fixes).
igc: Check VLAN TCI mask (git-fixes).
igc: Fix hicredit calculation (git-fixes).
igc: Fix missing time sync events (git-fixes).
igc: Remove temporary workaround (git-fixes).
igc: Report VLAN EtherType matching back to user (git-fixes).
igc: Unlock on error in igc_io_resume() (git-fixes).
iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() (git-fixes).
iio: adc: ad7606: Fix typo in the driver name (git-fixes).
iio: adc: ad7923: Fix buffer overflow for tx_buf and ring_xfer (git-fixes).
iio: dac: ad5770r: add missing select REGMAP_SPI in Kconfig (git-fixes).
iio: dac: ltc1660: add missing select REGMAP_SPI in Kconfig (git-fixes).
iio: dac: stm32-dac-core: add missing select REGMAP_MMIO in Kconfig (git-fixes).
iio: hid-sensors: Fix an error handling path in _hid_sensor_set_report_latency() (git-fixes).
iio: light: al3010: Fix an error handling path in al3010_probe() (git-fixes).
iio: light: opt3001: add missing full-scale range value (git-fixes).
iio: light: veml6030: fix ALS sensor resolution (git-fixes).
iio: light: veml6030: fix IIO device retrieval from embedded device (git-fixes).
iio: light: veml6030: fix microlux value calculation (git-fixes).
iio: proximity: mb1232: add missing select IIO_(TRIGGERED_)BUFFER in Kconfig (git-fixes).
initramfs: avoid filename buffer overrun (bsc#1232436).
input: adp5589-keys - fix adp5589_gpio_get_value() (git-fixes).
input: adp5589-keys - fix NULL pointer dereference (git-fixes).
input: ads7846 - ratelimit the spi_sync error message (stable-fixes).
input: goodix - use the new soc_intel_is_byt() helper (stable-fixes).
input: i8042 - add another board name for TUXEDO Stellaris Gen5 AMD line (git-fixes).
input: i8042 - add Ayaneo Kun to i8042 quirk table (git-fixes).
input: i8042 - add Fujitsu Lifebook E756 to i8042 quirk table (git-fixes).
input: i8042 - add TUXEDO Stellaris 15 Slim Gen6 AMD to i8042 quirk table (git-fixes).
input: i8042 - add TUXEDO Stellaris 16 Gen5 AMD to i8042 quirk table (git-fixes).
input: synaptics - enable SMBus for HP Elitebook 840 G2 (stable-fixes).
iommu/vt-d: Always reserve a domain ID for identity setup (git-fixes).
ipv6: blackhole_netdev needs snmp6 counters (bsc#1216813).
ipv6: give an IPv6 dev to blackhole_netdev (bsc#1216813).
irqchip/gic-v3-its: Avoid explicit cpumask allocation on stack (git-fixes).
irqchip/gic-v3-its: Fix VSYNC referencing an unmapped VPE on GIC v4.1 (git-fixes).
itco_wdt: mask NMI_NOW bit for update_no_reboot_bit() call (git-fixes).
ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able (git-fixes).
ixgbe: avoid sleeping allocation in ixgbe_ipsec_vf_add_sa() (git-fixes).
ixgbe: fix crash with empty VF macvlan list (git-fixes).
ixgbe: fix timestamp configuration code (git-fixes).
jfs: check if leafidx greater than num leaves per dmap tree (git-fixes).
jfs: Fix sanity check in dbMount (git-fixes).
jfs: Fix uaf in dbFreeBits (git-fixes).
jfs: Fix uninit-value access of new_ea in ea_buffer (git-fixes).
jfs: UBSAN: shift-out-of-bounds in dbFindBits (git-fixes).
kab: fix after net: add more sanity check in virtio_net_hdr_to_skb() (git-fixes).
kabi fix of KVM: arm64: Preserve PSTATE.SS for the guest while single-step is enabled (git-fixes).
kABI: bpf: enum bpf_{type_flag,arg_type} kABI workaround (git-fixes).
kABI: bpf: struct bpf_func_proto kABI workaround (git-fixes).
kabi: fix after kvm: add guest_state_{enter,exit}_irqoff() (git-fixes).
kabi: fix after KVM: arm64: mixed-width check should be skipped for uninitialized vCPUs (git-fixes).
kabi: Restore exported __arm_smccc_sve_check (git-fixes)
kbuild, bpf: Use test-ge check for v1.25-only pahole (bsc#1230414 bsc#1229450).
kbuild,bpf: Add module-specific pahole flags for distilled base BTF (bsc#1230414 bsc#1229450).
kbuild,bpf: Switch to using --btf_features for pahole v1.26 and later (bsc#1230414 bsc#1229450).
kbuild: add test-{ge,gt,le,lt} macros (bsc#1230414 bsc#1229450).
kbuild: avoid too many execution of scripts/pahole-flags.sh (bsc#1230414 bsc#1229450).
kbuild: bpf: Tell pahole to DECL_TAG kfuncs (bsc#1230414 bsc#1229450).
kernel-binary: Enable livepatch package only when livepatch is enabled Otherwise the filelist may be empty failing the build (bsc#1218644).
kernel.h: split out COUNT_ARGS() and CONCATENATE() to args.h (git-fixes)
kexec: fix a memory leak in crash_shrink_memory() (git-fixes).
kvm: add guest_state_{enter,exit}_irqoff() (git-fixes).
kvm: Add support for arch compat vm ioctls (git-fixes).
kvm: arm64: Add missing memory barriers when switching to pKVM's hyp pgd (git-fixes).
kvm: arm64: Allow AArch32 PSTATE.M to be restored as System mode (git-fixes).
kvm: arm64: Fix AArch32 register narrowing on userspace write (git-fixes).
kvm: arm64: GICv4: Do not perform a map to a mapped vLPI (git-fixes).
kvm: arm64: Invalidate EL1&0 TLB entries for all VMIDs in nvhe hyp init (git-fixes).
kvm: arm64: mixed-width check should be skipped for uninitialized vCPUs (git-fixes).
kvm: arm64: Preserve PSTATE.SS for the guest while single-step is enabled (git-fixes).
kvm: arm64: Release pfn, i.e. put page, if copying MTE tags hits ZONE_DEVICE (git-fixes).
kvm: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table() (git-fixes).
kvm: arm64: vgic-its: Test for valid IRQ in MOVALL handler (git-fixes).
kvm: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr() (git-fixes).
kvm: arm64: vgic-v2: Use cpuid from userspace as vcpu_id (git-fixes).
kvm: arm64: vgic-v4: Restore pending state on host userspace write (git-fixes).
kvm: eventfd: Fix false positive RCU usage warning (git-fixes).
kvm: Fix coalesced_mmio_has_room() to avoid premature userspace exit (git-fixes).
kvm: Fix lockdep false negative during host resume (git-fixes).
kvm: fix memoryleak in kvm_init() (git-fixes).
kvm: Grab a reference to KVM for VM and vCPU stats file descriptors (git-fixes).
kvm: Optimize kvm_make_vcpus_request_mask() a bit (git-fixes).
kvm: PPC: Book3S HV: remove unused varible (bsc#1194869).
kvm: Pre-allocate cpumasks for kvm_make_all_cpus_request_except() (git-fixes).
kvm: Reject overly excessive IDs in KVM_CREATE_VCPU (git-fixes).
kvm: s390: Change virtual to physical address access in diag 0x258 handler (git-fixes bsc#1232631).
kvm: s390: Fix SORTL and DFLTCC instruction format error in __insn32_query (git-fixes bsc#1231277).
kvm: s390: gaccess: Check if guest address is in memslot (git-fixes bsc#1232630).
kvm: SVM: Disallow guest from changing userspace's MSR_AMD64_DE_CFG value (git-fixes).
kvm: SVM: Do not advertise Bus Lock Detect to guest if SVM support is missing (git-fixes).
kvm: SVM: fix emulation of msr reads/writes of MSR_FS_BASE and MSR_GS_BASE (git-fixes).
kvm: Unconditionally get a ref to /dev/kvm module when creating a VM (git-fixes).
kvm: Write the per-page 'segment' when clearing (part of) a guest page (git-fixes).
kvm: x86: Use a stable condition around all VT-d PI paths (git-fixes).
kvm: x86/mmu: Fold rmap_recycle into rmap_add (git-fixes).
kvm: x86/mmu: Rename slot_handle_leaf to slot_handle_level_4k (git-fixes).
kvm/arm64: rework guest entry logic (git-fixes).
mac80211: MAC80211_MESSAGE_TRACING should depend on TRACING (git-fixes).
Makefile.compiler: replace cc-ifversion with compiler-specific macros (bsc#1230414 bsc#1229450).
media: adv7604: prevent underflow condition when reporting colorspace (git-fixes).
media: cx24116: prevent overflows on SNR calculus (git-fixes).
media: dvb_frontend: do not play tricks with underflow values (git-fixes).
media: dvb-usb-v2: af9035: fix missing unlock (git-fixes).
media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer (stable-fixes).
media: dvbdev: prevent the risk of out of memory access (git-fixes).
media: pci: cx23885: check cx23885_vdev_init() return (stable-fixes).
media: pulse8-cec: fix data timestamp at pulse8_setup() (git-fixes).
media: stb0899_algo: initialize cfr before using it (git-fixes).
media: v4l2-ctrls-api: fix error handling for v4l2_g_ctrl() (git-fixes).
media: v4l2-tpg: prevent the risk of a division by zero (git-fixes).
media: videobuf2-core: clear memory related fields in __vb2_plane_dmabuf_put() (stable-fixes).
mei: use kvmalloc for read buffer (git-fixes).
misc: apds990x: Fix missing pm_runtime_disable() (git-fixes).
mm/hugetlb: fix nodes huge page allocation when there are surplus pages (bsc#1234012).
mm/memory: add non-anonymous page check in the copy_present_page() (bsc#1231646).
modpost: remove incorrect code in do_eisa_entry() (git-fixes).
module: abort module loading when sysfs setup suffer errors (git-fixes).
nbd: fix race between timeout and normal completion (bsc#1230918).
net: add more sanity check in virtio_net_hdr_to_skb() (git-fixes).
net: ena: Fix potential sign extension issue (git-fixes).
net: ena: Remove ena_select_queue (git-fixes).
net: ena: Wrong missing IO completions check order (git-fixes).
net: mana: Implement get_ringparam/set_ringparam for mana (bsc#1229891).
net: mana: Improve mana_set_channels() in low mem conditions (bsc#1230289).
net: qede: use return from qede_parse_flow_attr() for flow_spec (git-fixes).
net: relax socket state check at accept time (git-fixes).
net: socket: suppress unused warning (git-fixes).
net: test for not too small csum_start in virtio_net_hdr_to_skb() (git-fixes).
net: usb: lan78xx: Fix memory leak on device unplug by freeing PHY device (git-fixes).
net: usb: lan78xx: Fix refcounting and autosuspend on invalid WoL configuration (git-fixes).
net: usb: qmi_wwan: add Fibocom FG132 0x0112 composition (stable-fixes).
net: usb: usbnet: fix name regression (git-fixes).
net: usb: usbnet: fix race in probe failure (git-fixes).
net/mlx5: Add missing masks and QoS bit masks for scheduling elements (git-fixes).
net/mlx5: Added cond_resched() to crdump collection (git-fixes).
net/mlx5: Allow 0 for total host VFs (git-fixes).
net/mlx5: Correctly compare pkt reformat ids (git-fixes).
net/mlx5: DR, Can't go to uplink vport on RX rule (git-fixes).
net/mlx5: DR, fix memory leak in mlx5dr_cmd_create_reformat_ctx (git-fixes).
net/mlx5: DR, Use the right GVMI number for drop action (git-fixes).
net/mlx5: Drain health before unregistering devlink (git-fixes).
net/mlx5: E-switch, register event handler before arming the event (git-fixes).
net/mlx5: Explicitly set scheduling element and TSAR type (git-fixes).
net/mlx5: Fix fw tracer first block check (git-fixes).
net/mlx5: fix potential memory leak in mlx5e_init_rep_rx (git-fixes).
net/mlx5: fs, lock FTE when checking if active (git-fixes).
net/mlx5: Handle fw tracer change ownership event based on MTRC (git-fixes).
net/mlx5: LAG, Check correct bucket when modifying LAG (git-fixes).
net/mlx5: Lag, do bond only if slaves agree on roce state (git-fixes).
net/mlx5: Lag, do not use the hardcoded value of the first port (git-fixes).
net/mlx5: Lag, restore buckets number to default after hash LAG deactivation (git-fixes).
net/mlx5: Skip clock update work when device is in error state (git-fixes).
net/mlx5: Unregister notifier on eswitch init failure (git-fixes).
net/mlx5: Update the list of the PCI supported devices (git-fixes).
net/mlx5: Use mlx5 device constant for selecting CQ period mode for ASO (git-fixes).
net/mlx5: Use recovery timeout on sync reset flow (git-fixes).
net/mlx5: Use RMW accessors for changing LNKCTL (git-fixes).
net/mlx5e: Add a check for the return value from mlx5_port_set_eth_ptys (git-fixes).
net/mlx5e: Add missing link modes to ptys2ethtool_map (git-fixes).
net/mlx5e: Add mqprio_rl cleanup and free in mlx5e_priv_cleanup() (git-fixes).
net/mlx5e: Again mutually exclude RX-FCS and RX-port-timestamp (git-fixes).
net/mlx5e: Allow software parsing when IPsec crypto is enabled (git-fixes).
net/mlx5e: Change the warning when ignore_flow_level is not supported (git-fixes).
net/mlx5e: Check return value of snprintf writing to fw_version buffer (git-fixes).
net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors (git-fixes).
net/mlx5e: Correct snprintf truncation handling for fw_version buffer (git-fixes).
net/mlx5e: Correct snprintf truncation handling for fw_version buffer used by representors (git-fixes).
net/mlx5e: Correctly report errors for ethtool rx flows (git-fixes).
net/mlx5e: CT: Fix null-ptr-deref in add rule err flow (git-fixes).
net/mlx5e: Do not offload internal port if filter device is out device (git-fixes).
net/mlx5e: fix a potential double-free in fs_udp_create_groups (git-fixes).
net/mlx5e: Fix crash moving to switchdev mode when ntuple offload is set (git-fixes).
net/mlx5e: fix double free in macsec_fs_tx_create_crypto_table_groups (git-fixes).
net/mlx5e: fix double free of encap_header (git-fixes).
net/mlx5e: Fix features validation check for tunneled UDP (non-VXLAN) packets (git-fixes).
net/mlx5e: Fix IPsec tunnel mode offload feature check (git-fixes).
net/mlx5e: Fix pedit endianness (git-fixes).
net/mlx5e: Fix possible deadlock on mlx5e_tx_timeout_work (git-fixes).
net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer() (git-fixes).
net/mlx5e: Fix slab-out-of-bounds in mlx5_query_nic_vport_mac_list() (git-fixes).
net/mlx5e: Fix UDP GSO for encapsulated packets (git-fixes).
net/mlx5e: HTB, Fix inconsistencies with QoS SQs number (git-fixes).
net/mlx5e: kTLS, Fix incorrect page refcounting (git-fixes).
net/mlx5e: Move representor neigh cleanup to profile cleanup_tx (git-fixes).
net/mlx5e: Reduce the size of icosq_str (git-fixes).
net/mlx5e: Take state lock during tx timeout reporter (git-fixes).
net/mlx5e: Use rx_missed_errors instead of rx_dropped for reporting buffer exhaustion (git-fixes).
net/sched: taprio: Limit TCA_TAPRIO_ATTR_SCHED_CYCLE_TIME to INT_MAX (bsc#1226797)
netdevsim: use cond_resched() in nsim_dev_trap_report_work() (git-fixes).
nfs: Avoid unnecessary rescanning of the per-server delegation list (git-fixes).
nfs: Fix KMSAN warning in decode_getfattr_attrs() (git-fixes).
nfs: fix memory leak in error path of nfs4_do_reclaim (git-fixes).
nfsd: call cache_put if xdr_reserve_space returns NULL (git-fixes).
nfsd: fix delegation_blocked() to block correctly for at least 30 seconds (git-fixes).
nfsd: Fix NFSv4's PUTPUBFH operation (git-fixes).
nfsd: fix refcount leak when file is unhashed after being found (git-fixes).
nfsd: map the EBADMSG to nfserr_io to avoid warning (git-fixes).
nfsd: Mark filecache 'down' if init fails (git-fixes).
nfsd: remove unneeded EEXIST error check in nfsd_do_file_acquire (git-fixes).
nfsd: return -EINVAL when namelen is 0 (git-fixes).
nfsv3: only use NFS timeout for MOUNT when protocols are compatible (bsc#1231016).
nfsv4: Fix clearing of layout segments in layoutreturn (git-fixes).
nilfs2: fix kernel bug due to missing clearing of buffer delay flag (git-fixes).
nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error (git-fixes).
ntb: intel: Fix the NULL vs IS_ERR() bug for debugfs_create_dir() (git-fixes).
ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition (stable-fixes).
nvme-fabrics: fix kernel crash while shutting down controller (git-fixes).
nvme-multipath: system fails to create generic nvme device (git-fixes).
nvme-pci: fix freeing of the HMB descriptor table (git-fixes).
nvme-pci: qdepth 1 quirk (git-fixes).
nvme-pci: reverse request order in nvme_queue_rqs (git-fixes).
nvmet-auth: assign dh_key to NULL after kfree_sensitive (git-fixes).
ocfs2: fix the la space leak when unmounting an ocfs2 volume (git-fixes).
ocfs2: fix uninit-value in ocfs2_get_block() (git-fixes).
ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow (git-fixes).
ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() (git-fixes).
parport: Proper fix for array out-of-bounds access (git-fixes).
pci: Add ACS quirk for Qualcomm SA8775P (stable-fixes).
pci: Add function 0 DMA alias quirk for Glenfly Arise chip (stable-fixes).
pci: Add T_PVPERL macro (git-fixes).
pci: endpoint: Clear secondary (not primary) EPC in pci_epc_remove_epf() (git-fixes).
pci: Fix pci_enable_acs() support for the ACS quirks (bsc#1229019).
pci: Fix reset_method_store() memory leak (git-fixes).
pci: j721e: Deassert PERST# after a delay of PCIE_T_PVPERL_MS milliseconds (git-fixes).
pci: keystone: Add link up check to ks_pcie_other_map_bus() (git-fixes).
pci: keystone: Set mode as Root Complex for 'ti,keystone-pcie' compatible (git-fixes).
pci: Mark Creative Labs EMU20k2 INTx masking as broken (stable-fixes).
pci: rockchip-ep: Fix address translation unit programming (git-fixes).
phy: tegra: xusb: Add error pointer check in xusb.c (git-fixes).
platform/chrome: cros_ec_typec: fix missing fwnode reference decrement (git-fixes).
platform/surface: aggregator_registry: Add support for Surface Laptop Go 3 (stable-fixes).
platform/surface: aggregator: Fix warning when controller is destroyed in probe (git-fixes).
platform/x86: dell-sysman: add support for alienware products (stable-fixes).
platform/x86: dell-wmi: Ignore suspend notifications (stable-fixes).
platform/x86: touchscreen_dmi: add nanote-next quirk (stable-fixes).
posix-cpu-timers: Clear TICK_DEP_BIT_POSIX_TIMER on clone (bsc#1234098).
power: reset: brcmstb: Do not go into infinite loop if reset fails (stable-fixes).
power: supply: bq27xxx: Fix registers of bq27426 (git-fixes).
power: supply: core: Remove might_sleep() from power_supply_put() (git-fixes).
powerpc: Allow clearing and restoring registers independent of saved breakpoint state (bsc#1194869).
powerpc: remove GCC version check for UPD_CONSTR (bsc#1194869).
powerpc/64: Convert patch_instruction() to patch_u32() (bsc#1194869).
powerpc/asm: Remove UPD_CONSTR after GCC 4.9 removal (bsc#1194869).
powerpc/atomic: Use YZ constraints for DS-form instructions (bsc#1194869).
powerpc/boot: Handle allocation failure in simple_realloc() (bsc#1194869).
powerpc/boot: Only free if realloc() succeeds (bsc#1194869).
powerpc/code-patching: Add generic memory patching (bsc#1194869).
powerpc/code-patching: Consolidate and cache per-cpu patching context (bsc#1194869).
powerpc/code-patching: Do not call is_vmalloc_or_module_addr() without CONFIG_MODULES (bsc#1194869).
powerpc/code-patching: Fix error handling in do_patch_instruction() (bsc#1194869).
powerpc/code-patching: Fix oops with DEBUG_VM enabled (bsc#1194869).
powerpc/code-patching: Fix unmap_patch_area() error handling (bsc#1194869).
powerpc/code-patching: introduce patch_instructions() (bsc#1194869).
powerpc/code-patching: Perform hwsync in __patch_instruction() in case of failure (bsc#1194869).
powerpc/code-patching: Pre-map patch area (bsc#1194869).
powerpc/code-patching: Remove #ifdef CONFIG_STRICT_KERNEL_RWX (bsc#1194869).
powerpc/code-patching: Remove pr_debug()/pr_devel() messages and fix check() (bsc#1194869).
powerpc/code-patching: Reorganise do_patch_instruction() to ease error handling (bsc#1194869).
powerpc/code-patching: Speed up page mapping/unmapping (bsc#1194869).
powerpc/code-patching: Use jump_label to check if poking_init() is done (bsc#1194869).
powerpc/code-patching: Use temporary mm for Radix MMU (bsc#1194869).
powerpc/code-patching: Use WARN_ON and fix check in poking_init (bsc#1194869).
powerpc/ftrace: Use patch_instruction() return directly (bsc#1194869).
powerpc/imc-pmu: Fix use of mutex in IRQs disabled section (bsc#1054914 git-fixes).
powerpc/imc-pmu: Use the correct spinlock initializer (bsc#1054914 git-fixes).
powerpc/inst: Refactor ___get_user_instr() (bsc#1194869).
powerpc/kexec: Fix return of uninitialized variable (bsc#1194869).
powerpc/lib: Add __init attribute to eligible functions (bsc#1194869).
powerpc/mm: Fix boot crash with FLATMEM (bsc#1194869).
powerpc/mm: Fix boot warning with hugepages and CONFIG_DEBUG_VIRTUAL (bsc#1194869).
powerpc/mm/fault: Fix kfence page fault reporting (bsc#1194869).
powerpc/powernv: Free name on error in opal_event_init() (bsc#1194869).
powerpc/pseries: Fix dtl_access_lock to be a rw_semaphore (bsc#1194869).
powerpc/pseries: Fix KVM guest detection for disabling hardlockup detector (bsc#1194869).
powerpc/tlb: Add local flush for page given mm_struct and psize (bsc#1194869).
powerpc/vdso: augment VDSO32 functions to support 64 bits build (bsc#1194869).
powerpc/vdso: Fix VDSO data access when running in a non-root time namespace (bsc#1194869).
powerpc/vdso: Merge vdso64 and vdso32 into a single directory (bsc#1194869).
powerpc/vdso: Rework VDSO32 makefile to add a prefix to object files (bsc#1194869).
powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu (bsc#1194869).
powerpc/xmon: Fix disassembly CPU feature checks (bsc#1065729).
qed: avoid truncating work queue length (git-fixes).
rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow (bsc#1226631).
rcu: Add rcutree.nohz_full_patience_delay to reduce nohz_full (bsc#1231327)
rdma/bnxt_re: Add a check for memory allocation (git-fixes)
rdma/bnxt_re: Check cqe flags to know imm_data vs inv_irkey (git-fixes)
rdma/bnxt_re: Fix a bug while setting up Level-2 PBL pages (git-fixes)
rdma/bnxt_re: Fix incorrect AVID type in WQE structure (git-fixes)
rdma/bnxt_re: Fix the GID table length (git-fixes)
rdma/bnxt_re: Fix the max CQ WQEs for older adapters (git-fixes)
rdma/bnxt_re: Fix the usage of control path spin locks (git-fixes)
rdma/bnxt_re: Return more meaningful error (git-fixes)
rdma/bnxt_re: synchronize the qp-handle table array (git-fixes)
rdma/cxgb4: Dump vendor specific QP details (git-fixes)
rdma/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP (git-fixes)
rdma/hns: Add clear_hem return value to log (git-fixes)
rdma/hns: Add mutex_destroy() (git-fixes)
rdma/hns: Fix an AEQE overflow error caused by untimely update of eq_db_ci (git-fixes)
rdma/hns: Fix cpu stuck caused by printings during reset (git-fixes)
rdma/hns: Fix different dgids mapping to the same dip_idx (git-fixes)
rdma/hns: Fix flush cqe error when racing with destroy qp (git-fixes)
rdma/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() (git-fixes)
rdma/hns: Fix out-of-order issue of requester when setting FENCE (git-fixes)
rdma/hns: Remove unnecessary QP type checks (git-fixes)
rdma/hns: Remove unused abnormal interrupt of type RAS (git-fixes)
rdma/hns: Use dev_* printings in hem code instead of ibdev_* (git-fixes)
rdma/hns: Use macro instead of magic number (git-fixes)
rdma/irdma: Fix misspelling of 'accept*' (git-fixes)
rdma/mad: Improve handling of timed out WRs of mad agent (git-fixes)
rdma/mana_ib: use the correct page size for mapping user-mode doorbell page (git-fixes).
rdma/mana_ib: use the correct page table index based on hardware page size (git-fixes).
rdma/mlx5: Move events notifier registration to be after device registration (git-fixes)
rdma/mlx5: Round max_rd_atomic/max_dest_rd_atomic up instead of down (git-fixes)
rdma/mlx5: Use sq timestamp as QP timestamp when RoCE is disabled (git-fixes).
rdma/rtrs-srv: Avoid null pointer deref during path establishment (git-fixes)
rdma/rxe: Fix the qp flush warnings in req (git-fixes)
rdma/rxe: Set queue pair cur_qp_state when being queried (git-fixes)
rdma/srpt: Make slab cache names unique (git-fixes)
Removed the duplicated check of static_assert(sizeof(struct work_struct) >= sizeof(struct rcu_head)).
Removed unnecessary white-space change in kernel/bpf/syscall.c
Revert 'cgroup: Fix memory leak caused by missing cgroup_bpf_offline' (bsc#1234108).
Revert 'ixgbe: Manual AN-37 for troublesome link partners for X550 SFI' (git-fixes).
Revert 'KVM: Prevent module exit until all VMs are freed' (git-fixes).
Revert 'mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K' (git-fixes).
Revert 'usb: gadget: composite: fix OS descriptors w_value logic' (git-fixes).
Revert 'usb: yurex: Replace snprintf() with the safer scnprintf() variant' (stable-fixes).
Revert PM changes that caused a regression on S4 resume (bsc#1231578).
rpm/check-for-config-changes: add HAVE_RUST and RUSTC_SUPPORTS_ to IGNORED_CONFIGS_RE They depend on SHADOW_CALL_STACK.
rpm/check-for-config-changes: Exclude ARCH_USING_PATCHABLE_FUNCTION_ENTRY gcc version dependent, at least on ppc
rpm/release-projects: Add SLFO projects (bsc#1231293).
rpm/scripts: Remove obsolete Symbols.list Symbols.list is not longer needed by the new klp-convert implementation. (bsc#1218644)
rtc: ab-eoz9: do not fail temperature reads on undervoltage notification (git-fixes).
rtc: abx80x: Fix WDT bit position of the status register (git-fixes).
rtc: check if __rtc_read_time was successful in rtc_timer_do_work() (git-fixes).
rtc: st-lpc: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
s390/mm: Add cond_resched() to cmm_alloc/free_pages() (bsc#1228747).
s390/sclp_vt220: Convert newlines to CRLF instead of LFCR (git-fixes bsc#1232632).
sched/isolation: Prevent boot crash when the boot CPU is (bsc#1231327)
scsi: aacraid: Rearrange order of struct aac_srb_unit (git-fixes).
scsi: core: alua: I/O errors for ALUA state transitions (git-fixes).
scsi: core: Fix the return value of scsi_logical_block_count() (git-fixes).
scsi: core: Handle devices which return an unusually large VPD page count (git-fixes).
scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del() (git-fixes).
scsi: fnic: Move flush_work initialization out of if block (bsc#1230055).
scsi: hpsa: Fix allocation size for Scsi_Host private data (git-fixes).
scsi: libsas: Fix exp-attached device scan after probe failure scanned in again after probe failed (git-fixes).
scsi: libsas: Fix the failure of adding phy with zero-address to port (git-fixes).
scsi: lpfc: Add cleanup of nvmels_wq after HBA reset (bsc#1233241).
scsi: lpfc: Add ELS_RSP cmd to the list of WQEs to flush in lpfc_els_flush_cmd() (bsc#1232757).
scsi: lpfc: Call lpfc_sli4_queue_unset() in restart and rmmod paths (bsc#1233241).
scsi: lpfc: Change lpfc_nodelist nlp_flag member into a bitmask (bsc#1233241).
scsi: lpfc: Check devloss callbk done flag for potential stale NDLP ptrs (bsc#1233241).
scsi: lpfc: Check SLI_ACTIVE flag in FDMI cmpl before submitting follow up FDMI (bsc#1233241).
scsi: lpfc: Copyright updates for 14.4.0.6 patches (bsc#1233241).
scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance (bsc#1232757).
scsi: lpfc: Fix kref imbalance on fabric ndlps from dev_loss_tmo handler (bsc#1232757).
scsi: lpfc: Modify CGN warning signal calculation based on EDC response (bsc#1233241).
scsi: lpfc: Prevent NDLP reference count underflow in dev_loss_tmo callback (bsc#1233241).
scsi: lpfc: Remove NLP_RELEASE_RPI flag from nodelist structure (bsc#1233241).
scsi: lpfc: Remove trailing space after \n newline (bsc#1232757).
scsi: lpfc: Restrict support for 32 byte CDBs to specific HBAs (git-fixes).
scsi: lpfc: Revise TRACE_EVENT log flag severities from KERN_ERR to KERN_WARNING (bsc#1232757).
scsi: lpfc: Support loopback tests with VMID enabled (bsc#1232757).
scsi: lpfc: Update lpfc version to 14.4.0.5 (bsc#1232757).
scsi: lpfc: Update lpfc version to 14.4.0.6 (bsc#1233241).
scsi: lpfc: Update lpfc_els_flush_cmd() to check for SLI_ACTIVE before BSG flag (bsc#1233241).
scsi: lpfc: Update phba link state conditional before sending CMF_SYNC_WQE (bsc#1232757).
scsi: mac_scsi: Disallow bus errors during PDMA send (git-fixes).
scsi: mac_scsi: Refactor polling loop (git-fixes).
scsi: mac_scsi: Revise printk(KERN_DEBUG ...) messages (git-fixes).
scsi: mpi3mr: Avoid IOMMU page faults on REPORT ZONES (git-fixes).
scsi: mpi3mr: Fix ATA NCQ priority support (git-fixes).
scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES (git-fixes).
scsi: NCR5380: Check for phase match during PDMA fixup (git-fixes).
scsi: qedf: Set qed_slowpath_params to zero before use (git-fixes).
scsi: scsi_transport_fc: Allow setting rport state to current state (git-fixes).
scsi: sd_zbc: Use kvzalloc() to allocate REPORT ZONES buffer (git-fixes).
scsi: smartpqi: correct stream detection (git-fixes).
scsi: smartpqi: revert propagate-the-multipath-failure-to-SML-quickly (git-fixes).
scsi: spi: Fix sshdr use (git-fixes).
scsi: wd33c93: Do not use stale scsi_pointer value (git-fixes).
security/keys: fix slab-out-of-bounds in key_task_permission (git-fixes).
selftests/bpf: Add a test case to write mtu result into .rodata (git-fixes).
selftests/bpf: Add a test case to write strtol result into .rodata (git-fixes).
selftests/bpf: Fix ARG_PTR_TO_LONG {half-,}uninitialized test (git-fixes).
selftests/bpf: Rename ARG_PTR_TO_LONG test description (git-fixes).
selftests/bpf: test for malformed BPF_CORE_TYPE_ID_LOCAL relocation (git-fixes).
serial: 8250: omap: Move pm_runtime_get_sync (git-fixes).
sfc: Check firmware supports Ethernet PTP filter (git-fixes).
sfc: do not unregister flow_indr if it was never registered (git-fixes).
sfc: fix a double-free bug in efx_probe_filters (git-fixes).
signal: Replace BUG_ON()s (bsc#1234093).
spi: atmel-quadspi: Fix register name in verbose logging function (git-fixes).
spi: bcm63xx: Enable module autoloading (stable-fixes).
spi: bcm63xx: Fix module autoloading (git-fixes).
spi: Fix acpi deferred irq probe (git-fixes).
spi: lpspi: release requested DMA channels (stable-fixes).
spi: lpspi: Silence error message upon deferred probe (stable-fixes).
spi: lpspi: Simplify some error message (git-fixes).
spi: ppc4xx: Avoid returning 0 when failed to parse and map IRQ (git-fixes).
spi: ppc4xx: handle irq_of_parse_and_map() errors (git-fixes).
spi: s3c64xx: fix timeout counters in flush_fifo (git-fixes).
spi: spi-fsl-lpspi: Undo runtime PM changes at driver exit time (git-fixes).
spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled (git-fixes).
spi: spidev: Add missing spi_device_id for jg10309-01 (git-fixes).
staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() (git-fixes).
static_call: Do not make __static_call_return0 static (git-fixes).
sunrpc: clnt.c: Remove misleading comment (git-fixes).
sunrpc: Fix integer overflow in decode_rc_list() (git-fixes).
sunrpc: Fixup gss_status tracepoint error output (git-fixes).
thermal: core: Initialize thermal zones before registering them (git-fixes).
thermal: intel: int340x: processor: Fix warning during module unload (git-fixes).
tpm: Lock TPM chip in tpm_pm_suspend() first (bsc#1082555 git-fixes).
tracing: Consider the NULL character when validating the event length (git-fixes).
tracing/hwlat: Fix a race during cpuhp processing (git-fixes).
tracing/uprobes: Use trace_event_buffer_reserve() helper (git-fixes).
tun: Fix xdp_rxq_info's queue_index when detaching (git-fixes).
tun: prevent negative ifindex (git-fixes).
ucounts: fix counter leak in inc_rlimit_get_ucounts() (bsc#1233460).
Update config files (bsc#1218644). LIVEPATCH_IPA_CLONES=n => LIVEPATCH=n
Update config files. Enabled IDPF for ARM64 (bsc#1221309)
uprobe: avoid out-of-bounds memory access of fetching args (git-fixes).
uprobes: encapsulate preparation of uprobe args buffer (git-fixes).
usb: appledisplay: close race between probe and completion handler (stable-fixes).
usb: chaoskey: fail open after removal (git-fixes).
usb: chaoskey: Fix possible deadlock chaoskey_list_lock (git-fixes).
usb: chipidea: udc: enable suspend interrupt after usb reset (stable-fixes).
usb: dwc2: Adjust the timing of USB Driver Interrupt Registration in the Crashkernel Scenario (stable-fixes).
usb: dwc3: core: Stop processing of pending events if controller is halted (git-fixes).
usb: dwc3: gadget: Add missing check for single port RAM in TxFIFO resizing logic (git-fixes).
usb: dwc3: gadget: Fix checking for number of TRBs left (git-fixes).
usb: dwc3: gadget: Fix looping of queued SG entries (git-fixes).
usb: ehci-spear: fix call balance of sehci clk handling routines (git-fixes).
usb: gadget: core: force synchronous registration (git-fixes).
usb: misc: cypress_cy7c63: check for short transfer (stable-fixes).
usb: misc: yurex: fix race between read and write (stable-fixes).
usb: musb: sunxi: Fix accessing an released usb phy (git-fixes).
usb: phy: Fix API devm_usb_put_phy() can not release the phy (git-fixes).
usb: serial: ftdi_sio: Fix atomicity violation in get_serial_info() (git-fixes).
usb: serial: io_edgeport: fix use after free in debug printk (git-fixes).
usb: serial: option: add Fibocom FG132 0x0112 composition (stable-fixes).
usb: serial: option: add Quectel RG650V (stable-fixes).
usb: serial: option: add support for Quectel EG916Q-GL (stable-fixes).
usb: serial: option: add Telit FN920C04 MBIM compositions (stable-fixes).
usb: serial: pl2303: add device id for Macrosilicon MS3020 (stable-fixes).
usb: serial: qcserial: add support for Sierra Wireless EM86xx (stable-fixes).
usb: storage: ignore bogus device raised by JieLi BR21 USB sound chip (stable-fixes).
usb: typec: altmode should keep reference to parent (git-fixes).
usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() (git-fixes).
usb: typec: fix unreleased fwnode_handle in typec_port_register_altmodes() (git-fixes).
usb: using mutex lock and supporting O_NONBLOCK flag in iowarrior_read() (git-fixes).
usb: xhci: Fix problem with xhci resume from suspend (stable-fixes).
usb: xhci: Fix TD invalidation under pending Set TR Dequeue (git-fixes).
usb: yurex: Fix inconsistent locking bug in yurex_read() (git-fixes).
usb: yurex: make waiting on yurex_write interruptible (git-fixes).
usb: yurex: Replace snprintf() with the safer scnprintf() variant (stable-fixes).
usbip: tools: Fix detach_port() invalid port error path (git-fixes).
usbnet: ipheth: fix carrier detection in modes 1 and 4 (stable-fixes).
Use pahole -j1 option for reproducible builds (bsc#1230414 bsc#1229450).
vdpa/mlx5: preserve CVQ vringh index (git-fixes).
vhost_vdpa: assign irq bypass producer token correctly (git-fixes).
vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() (git-fixes).
virtio_console: fix misc probe bugs (git-fixes).
virtio_net: fixing XDP for fully checksummed packets handling (git-fixes).
virtio-net: synchronize probe with ndo_set_features (git-fixes).
vmxnet3: add command to allow disabling of offloads (bsc#1226498).
vmxnet3: add latency measurement support in vmxnet3 (bsc#1226498).
vmxnet3: prepare for version 9 changes (bsc#1226498).
vmxnet3: update to version 9 (bsc#1226498).
vsock/virtio: fix packet delivery to tap device (git-fixes).
watchdog: mediatek: Make sure system reset gets asserted in mtk_wdt_restart() (git-fixes).
watchdog: rti: of: honor timeout-sec property (git-fixes).
wifi: ath10k: fix invalid VHT parameters in supported_vht_mcs_rate_nss1 (git-fixes).
wifi: ath10k: fix invalid VHT parameters in supported_vht_mcs_rate_nss2 (git-fixes).
wifi: ath10k: Fix memory leak in management tx (git-fixes).
wifi: ath11k: fix array out-of-bound access in SoC stats (stable-fixes).
wifi: ath11k: Fix invalid ring usage in full monitor mode (git-fixes).
wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit (stable-fixes).
wifi: ath9k: add range check for conn_rsp_epid in htc_connect_service() (git-fixes).
wifi: ath9k: fix parameter check in ath9k_init_debug() (stable-fixes).
wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() (stable-fixes).
wifi: ath9k: Remove error checks when creating debugfs entries (git-fixes).
wifi: brcm80211: BRCM_TRACING should depend on TRACING (git-fixes).
wifi: iwlegacy: Clear stale interrupts before resuming device (stable-fixes).
wifi: iwlwifi: clear trans->state earlier upon error (stable-fixes).
wifi: iwlwifi: lower message level for FW buffer destination (stable-fixes).
wifi: iwlwifi: mvm: disconnect station vifs if recovery failed (stable-fixes).
wifi: iwlwifi: mvm: fix iwl_mvm_scan_fits() calculation (stable-fixes).
wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd() (git-fixes).
wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower (git-fixes).
wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys (git-fixes).
wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() (stable-fixes).
wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_config_scan() (git-fixes).
wifi: mwifiex: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
wifi: p54: Use IRQF_NO_AUTOEN flag in request_irq() (git-fixes).
wifi: rtw88: select WANT_DEV_COREDUMP (stable-fixes).
workqueue: Avoid using isolated cpus' timers on (bsc#1231327)
workqueue: mark power efficient workqueue as unbounded if (bsc#1231327)
x86/bugs: Do not use UNTRAIN_RET with IBPB on entry (git-fixes).
x86/bugs: Skip RSB fill at VMEXIT (git-fixes).
x86/cpufeatures: Add a IBPB_NO_RET BUG flag (git-fixes).
x86/cpufeatures: Define X86_FEATURE_AMD_IBPB_RET (git-fixes).
x86/entry: Have entry_ibpb() invalidate return predictions (git-fixes).
x86/hyperv: Set X86_FEATURE_TSC_KNOWN_FREQ when Hyper-V provides frequency (git-fixes).
x86/kaslr: Expose and use the end of the physical memory address space (bsc#1230405).
x86/kvm: fix is_stale_page_fault() (bsc#1221333).
xfrm: set dst dev to blackhole_netdev instead of loopback_dev in ifdown (bsc#1216813).
xhci: Fix incorrect stream context type macro (git-fixes).
xhci: Fix Link TRB DMA in command ring stopped completion event (git-fixes).
xhci: Mitigate failed set dequeue pointer commands (git-fixes).
xhci: Separate PORT and CAPs macros into dedicated file (stable-fixes).
xhci: Use pm_runtime_get to prevent RPM on unsupported systems (git-fixes).

Список пакетов

Container bci/bci-sle15-kernel-module-devel:15.5

kernel-default-devel-5.14.21-150500.55.88.1

kernel-devel-5.14.21-150500.55.88.1

kernel-macros-5.14.21-150500.55.88.1

kernel-syms-5.14.21-150500.55.88.1

Container suse/sle-micro/base-5.5:latest

kernel-default-5.14.21-150500.55.88.1

Container suse/sle-micro/kvm-5.5:latest

kernel-default-base-5.14.21-150500.55.88.1.150500.6.39.4

Image SLES15-SP5-BYOS-Azure

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-BYOS-EC2

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-BYOS-GCE

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-CHOST-BYOS-Azure

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-CHOST-BYOS-EC2

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-CHOST-BYOS-GCE

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-CHOST-BYOS-GDC

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-CHOST-BYOS-SAP-CCloud

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-EC2

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-GCE

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-HPC-BYOS-Azure

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-HPC-BYOS-EC2

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-HPC-BYOS-GCE

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Hardened-BYOS-Azure

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Hardened-BYOS-EC2

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Hardened-BYOS-GCE

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Proxy-5-0-BYOS

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-Azure

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-EC2

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-GCE

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Server-5-0

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Server-5-0-Azure-llc

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Server-5-0-Azure-ltd

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Server-5-0-BYOS

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Server-5-0-BYOS-Azure

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Server-5-0-BYOS-EC2

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Server-5-0-BYOS-GCE

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Server-5-0-EC2-llc

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Manager-Server-5-0-EC2-ltd

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Micro-5-5

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Micro-5-5-Azure

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Micro-5-5-BYOS

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Micro-5-5-BYOS-Azure

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Micro-5-5-BYOS-EC2

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Micro-5-5-BYOS-GCE

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Micro-5-5-EC2

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-Micro-5-5-GCE

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-Azure-3P

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-Azure-LI-BYOS

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-Azure-LI-BYOS-Production

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-Azure-VLI-BYOS

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-BYOS-Azure

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-BYOS-EC2

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-BYOS-GCE

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-Hardened-Azure

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-Hardened-BYOS-Azure

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-Hardened-BYOS-EC2

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-Hardened-BYOS-GCE

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAP-Hardened-GCE

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAPCAL-Azure

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAPCAL-EC2

kernel-default-5.14.21-150500.55.88.1

Image SLES15-SP5-SAPCAL-GCE

kernel-default-5.14.21-150500.55.88.1

SUSE Linux Enterprise High Availability Extension 15 SP5

cluster-md-kmp-default-5.14.21-150500.55.88.1

dlm-kmp-default-5.14.21-150500.55.88.1

gfs2-kmp-default-5.14.21-150500.55.88.1

ocfs2-kmp-default-5.14.21-150500.55.88.1

SUSE Linux Enterprise Live Patching 15 SP5

kernel-default-livepatch-5.14.21-150500.55.88.1

kernel-default-livepatch-devel-5.14.21-150500.55.88.1

kernel-livepatch-5_14_21-150500_55_88-default-1-150500.11.5.1

SUSE Linux Enterprise Micro 5.5

kernel-default-5.14.21-150500.55.88.1

kernel-default-base-5.14.21-150500.55.88.1.150500.6.39.4

SUSE Linux Enterprise Module for Basesystem 15 SP5

kernel-64kb-5.14.21-150500.55.88.1

kernel-64kb-devel-5.14.21-150500.55.88.1

kernel-default-5.14.21-150500.55.88.1

kernel-default-base-5.14.21-150500.55.88.1.150500.6.39.4

kernel-default-devel-5.14.21-150500.55.88.1

kernel-devel-5.14.21-150500.55.88.1

kernel-macros-5.14.21-150500.55.88.1

kernel-zfcpdump-5.14.21-150500.55.88.1

SUSE Linux Enterprise Module for Development Tools 15 SP5

kernel-docs-5.14.21-150500.55.88.1

kernel-obs-build-5.14.21-150500.55.88.1

kernel-source-5.14.21-150500.55.88.1

kernel-syms-5.14.21-150500.55.88.1

SUSE Linux Enterprise Module for Legacy 15 SP5

reiserfs-kmp-default-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/support/update/announcement/2024/suse-su-20244364-1/
Link for SUSE-SU-2024:4364-1
https://lists.suse.com/pipermail/sle-security-updates/2024-December/020019.html
E-Mail link for SUSE-SU-2024:4364-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/1054914
SUSE Bug 1054914
https://bugzilla.suse.com/1065729
SUSE Bug 1065729
https://bugzilla.suse.com/1082555
SUSE Bug 1082555
https://bugzilla.suse.com/1194869
SUSE Bug 1194869
https://bugzilla.suse.com/1204171
SUSE Bug 1204171
https://bugzilla.suse.com/1205796
SUSE Bug 1205796
https://bugzilla.suse.com/1206188
SUSE Bug 1206188
https://bugzilla.suse.com/1206344
SUSE Bug 1206344
https://bugzilla.suse.com/1209290
SUSE Bug 1209290
https://bugzilla.suse.com/1210449
SUSE Bug 1210449
https://bugzilla.suse.com/1210627
SUSE Bug 1210627
https://bugzilla.suse.com/1213034
SUSE Bug 1213034
https://bugzilla.suse.com/1216813
SUSE Bug 1216813
https://bugzilla.suse.com/1218562
SUSE Bug 1218562
https://bugzilla.suse.com/1218644
SUSE Bug 1218644
https://bugzilla.suse.com/1220382
SUSE Bug 1220382
https://bugzilla.suse.com/1221309
SUSE Bug 1221309

Описание

In the Linux kernel, the following vulnerability has been resolved: phy: mdio: fix memory leak Syzbot reported memory leak in MDIO bus interface, the problem was in wrong state logic. MDIOBUS_ALLOCATED indicates 2 states: 1. Bus is only allocated 2. Bus allocated and __mdiobus_register() fails, but device_register() was called In case of device_register() has been called we should call put_device() to correctly free the memory allocated for this device, but mdiobus_free() calls just kfree(dev) in case of MDIOBUS_ALLOCATED state To avoid this behaviour we need to set bus->state to MDIOBUS_UNREGISTERED _before_ calling device_register(), because put_device() should be called even in case of device_register() failure.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47416.html
CVE-2021-47416
https://bugzilla.suse.com/1225189
SUSE Bug 1225189
https://bugzilla.suse.com/1225336
SUSE Bug 1225336

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: kms: Add missing drm_crtc_commit_put Commit 9ec03d7f1ed3 ("drm/vc4: kms: Wait on previous FIFO users before a commit") introduced a global state for the HVS, with each FIFO storing the current CRTC commit so that we can properly synchronize commits. However, the refcounting was off and we thus ended up leaking the drm_crtc_commit structure every commit. Add a drm_crtc_commit_put to prevent the leakage.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47534.html
CVE-2021-47534
https://bugzilla.suse.com/1230903
SUSE Bug 1230903

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: never allow the PM to close a listener subflow Currently, when deleting an endpoint the netlink PM treverses all the local MPTCP sockets, regardless of their status. If an MPTCP listener socket is bound to the IP matching the delete endpoint, the listener TCP socket will be closed. That is unexpected, the PM should only affect data subflows. Additionally, syzbot was able to trigger a NULL ptr dereference due to the above: general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 1 PID: 6550 Comm: syz-executor122 Not tainted 5.16.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4897 Code: 0f 0e 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 69 cc 0f 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b 20 75 17 8f 0f 84 52 f3 ff RSP: 0018:ffffc90001f2f818 EFLAGS: 00010016 RAX: dffffc0000000000 RBX: 0000000000000018 RCX: 0000000000000000 RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000000 R11: 000000000000000a R12: 0000000000000000 R13: ffff88801b98d700 R14: 0000000000000000 R15: 0000000000000001 FS: 00007f177cd3d700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f177cd1b268 CR3: 000000001dd55000 CR4: 0000000000350ee0 Call Trace: <TASK> lock_acquire kernel/locking/lockdep.c:5637 [inline] lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162 finish_wait+0xc0/0x270 kernel/sched/wait.c:400 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline] inet_csk_accept+0x7de/0x9d0 net/ipv4/inet_connection_sock.c:497 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2865 inet_accept+0xe4/0x7b0 net/ipv4/af_inet.c:739 mptcp_stream_accept+0x2e7/0x10e0 net/mptcp/protocol.c:3345 do_accept+0x382/0x510 net/socket.c:1773 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816 __sys_accept4+0xb0/0x100 net/socket.c:1846 __do_sys_accept net/socket.c:1864 [inline] __se_sys_accept net/socket.c:1861 [inline] __x64_sys_accept+0x71/0xb0 net/socket.c:1861 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f177cd8b8e9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f177cd3d308 EFLAGS: 00000246 ORIG_RAX: 000000000000002b RAX: ffffffffffffffda RBX: 00007f177ce13408 RCX: 00007f177cd8b8e9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007f177ce13400 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f177ce1340c R13: 00007f177cde1004 R14: 6d705f706374706d R15: 0000000000022000 </TASK> Fix the issue explicitly skipping MPTCP socket in TCP_LISTEN status.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2021-47594.html
CVE-2021-47594
https://bugzilla.suse.com/1226560
SUSE Bug 1226560

Описание

A vulnerability classified as problematic has been found in Linux Kernel. This affects the function fib_nh_match of the file net/ipv4/fib_semantics.c of the component IPv4 Handler. The manipulation leads to out-of-bounds read. It is possible to initiate the attack remotely. It is recommended to apply a patch to fix this issue. The identifier VDB-210357 was assigned to this vulnerability.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-3435.html
CVE-2022-3435
https://bugzilla.suse.com/1204171
SUSE Bug 1204171

Описание

An issue was discovered in the Linux kernel through 6.0.10. l2cap_config_req in net/bluetooth/l2cap_core.c has an integer wraparound via L2CAP_CONF_REQ packets.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-45934.html
CVE-2022-45934
https://bugzilla.suse.com/1205796
SUSE Bug 1205796
https://bugzilla.suse.com/1212292
SUSE Bug 1212292

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix hang during unmount when stopping a space reclaim worker Often when running generic/562 from fstests we can hang during unmount, resulting in a trace like this: Sep 07 11:52:00 debian9 unknown: run fstests generic/562 at 2022-09-07 11:52:00 Sep 07 11:55:32 debian9 kernel: INFO: task umount:49438 blocked for more than 120 seconds. Sep 07 11:55:32 debian9 kernel: Not tainted 6.0.0-rc2-btrfs-next-122 #1 Sep 07 11:55:32 debian9 kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. Sep 07 11:55:32 debian9 kernel: task:umount state:D stack: 0 pid:49438 ppid: 25683 flags:0x00004000 Sep 07 11:55:32 debian9 kernel: Call Trace: Sep 07 11:55:32 debian9 kernel: <TASK> Sep 07 11:55:32 debian9 kernel: __schedule+0x3c8/0xec0 Sep 07 11:55:32 debian9 kernel: ? rcu_read_lock_sched_held+0x12/0x70 Sep 07 11:55:32 debian9 kernel: schedule+0x5d/0xf0 Sep 07 11:55:32 debian9 kernel: schedule_timeout+0xf1/0x130 Sep 07 11:55:32 debian9 kernel: ? lock_release+0x224/0x4a0 Sep 07 11:55:32 debian9 kernel: ? lock_acquired+0x1a0/0x420 Sep 07 11:55:32 debian9 kernel: ? trace_hardirqs_on+0x2c/0xd0 Sep 07 11:55:32 debian9 kernel: __wait_for_common+0xac/0x200 Sep 07 11:55:32 debian9 kernel: ? usleep_range_state+0xb0/0xb0 Sep 07 11:55:32 debian9 kernel: __flush_work+0x26d/0x530 Sep 07 11:55:32 debian9 kernel: ? flush_workqueue_prep_pwqs+0x140/0x140 Sep 07 11:55:32 debian9 kernel: ? trace_clock_local+0xc/0x30 Sep 07 11:55:32 debian9 kernel: __cancel_work_timer+0x11f/0x1b0 Sep 07 11:55:32 debian9 kernel: ? close_ctree+0x12b/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? __trace_bputs+0x10b/0x170 Sep 07 11:55:32 debian9 kernel: close_ctree+0x152/0x5b3 [btrfs] Sep 07 11:55:32 debian9 kernel: ? evict_inodes+0x166/0x1c0 Sep 07 11:55:32 debian9 kernel: generic_shutdown_super+0x71/0x120 Sep 07 11:55:32 debian9 kernel: kill_anon_super+0x14/0x30 Sep 07 11:55:32 debian9 kernel: btrfs_kill_super+0x12/0x20 [btrfs] Sep 07 11:55:32 debian9 kernel: deactivate_locked_super+0x2e/0xa0 Sep 07 11:55:32 debian9 kernel: cleanup_mnt+0x100/0x160 Sep 07 11:55:32 debian9 kernel: task_work_run+0x59/0xa0 Sep 07 11:55:32 debian9 kernel: exit_to_user_mode_prepare+0x1a6/0x1b0 Sep 07 11:55:32 debian9 kernel: syscall_exit_to_user_mode+0x16/0x40 Sep 07 11:55:32 debian9 kernel: do_syscall_64+0x48/0x90 Sep 07 11:55:32 debian9 kernel: entry_SYSCALL_64_after_hwframe+0x63/0xcd Sep 07 11:55:32 debian9 kernel: RIP: 0033:0x7fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RSP: 002b:00007ffe914217c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 Sep 07 11:55:32 debian9 kernel: RAX: 0000000000000000 RBX: 00007fcde5ae8264 RCX: 00007fcde59a57a7 Sep 07 11:55:32 debian9 kernel: RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000055b57556cdd0 Sep 07 11:55:32 debian9 kernel: RBP: 000055b57556cba0 R08: 0000000000000000 R09: 00007ffe91420570 Sep 07 11:55:32 debian9 kernel: R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 Sep 07 11:55:32 debian9 kernel: R13: 000055b57556cdd0 R14: 000055b57556ccb8 R15: 0000000000000000 Sep 07 11:55:32 debian9 kernel: </TASK> What happens is the following: 1) The cleaner kthread tries to start a transaction to delete an unused block group, but the metadata reservation can not be satisfied right away, so a reservation ticket is created and it starts the async metadata reclaim task (fs_info->async_reclaim_work); 2) Writeback for all the filler inodes with an i_size of 2K starts (generic/562 creates a lot of 2K files with the goal of filling metadata space). We try to create an inline extent for them, but we fail when trying to insert the inline extent with -ENOSPC (at cow_file_range_inline()) - since this is not critical, we fallback to non-inline mode (back to cow_file_range()), reserve extents ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48664.html
CVE-2022-48664
https://bugzilla.suse.com/1223524
SUSE Bug 1223524

Описание

In the Linux kernel, the following vulnerability has been resolved: erofs: fix pcluster use-after-free on UP platforms During stress testing with CONFIG_SMP disabled, KASAN reports as below: ================================================================== BUG: KASAN: use-after-free in __mutex_lock+0xe5/0xc30 Read of size 8 at addr ffff8881094223f8 by task stress/7789 CPU: 0 PID: 7789 Comm: stress Not tainted 6.0.0-rc1-00002-g0d53d2e882f9 #3 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: <TASK> .. __mutex_lock+0xe5/0xc30 .. z_erofs_do_read_page+0x8ce/0x1560 .. z_erofs_readahead+0x31c/0x580 .. Freed by task 7787 kasan_save_stack+0x1e/0x40 kasan_set_track+0x20/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x10c/0x190 kmem_cache_free+0xed/0x380 rcu_core+0x3d5/0xc90 __do_softirq+0x12d/0x389 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x3d/0x3f0 erofs_shrink_workstation+0x11f/0x210 erofs_shrink_scan+0xdc/0x170 shrink_slab.constprop.0+0x296/0x530 drop_slab+0x1c/0x70 drop_caches_sysctl_handler+0x70/0x80 proc_sys_call_handler+0x20a/0x2f0 vfs_write+0x555/0x6c0 ksys_write+0xbe/0x160 do_syscall_64+0x3b/0x90 The root cause is that erofs_workgroup_unfreeze() doesn't reset to orig_val thus it causes a race that the pcluster reuses unexpectedly before freeing. Since UP platforms are quite rare now, such path becomes unnecessary. Let's drop such specific-designed path directly instead.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48674.html
CVE-2022-48674
https://bugzilla.suse.com/1223942
SUSE Bug 1223942

Описание

In the Linux kernel, the following vulnerability has been resolved: efi: fix NULL-deref in init error path In cases where runtime services are not supported or have been disabled, the runtime services workqueue will never have been allocated. Do not try to destroy the workqueue unconditionally in the unlikely event that EFI initialisation fails to avoid dereferencing a NULL pointer.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48879.html
CVE-2022-48879
https://bugzilla.suse.com/1229556
SUSE Bug 1229556

Описание

In the Linux kernel, the following vulnerability has been resolved: udf: Fix preallocation discarding at indirect extent boundary When preallocation extent is the first one in the extent block, the code would corrupt extent tree header instead. Fix the problem and use udf_delete_aext() for deleting extent to avoid some code duplication.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48946.html
CVE-2022-48946
https://bugzilla.suse.com/1231888
SUSE Bug 1231888

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix u8 overflow By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases multiple times and eventually it will wrap around the maximum number (i.e., 255). This patch prevents this by adding a boundary check with L2CAP_MAX_CONF_RSP Btmon log: Bluetooth monitor ver 5.64 = Note: Linux version 6.1.0-rc2 (x86_64) 0.264594 = Note: Bluetooth subsystem version 2.22 0.264636 @ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191 = New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604 @ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741 = Open Index: 00:00:00:00:00:00 [hci0] 13.900426 (...) > ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106 invalid packet size (12 != 1033) 08 00 01 00 02 01 04 00 01 10 ff ff ............ > ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561 invalid packet size (14 != 1547) 0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@..... > ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390 invalid packet size (16 != 2061) 0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@....... > ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932 invalid packet size (16 != 2061) 0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@....... = bluetoothd: Bluetooth daemon 5.43 14.401828 > ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753 invalid packet size (12 != 1033) 08 00 01 00 04 01 04 00 40 00 00 00 ........@...

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48947.html
CVE-2022-48947
https://bugzilla.suse.com/1231895
SUSE Bug 1231895

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: Prevent buffer overflow in setup handler Setup function uvc_function_setup permits control transfer requests with up to 64 bytes of payload (UVC_MAX_REQUEST_SIZE), data stage handler for OUT transfer uses memcpy to copy req->actual bytes to uvc_event->data.data array of size 60. This may result in an overflow of 4 bytes.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48948.html
CVE-2022-48948
https://bugzilla.suse.com/1231896
SUSE Bug 1231896

Описание

In the Linux kernel, the following vulnerability has been resolved: igb: Initialize mailbox message for VF reset When a MAC address is not assigned to the VF, that portion of the message sent to the VF is not set. The memory, however, is allocated from the stack meaning that information may be leaked to the VM. Initialize the message buffer to 0 so that no information is passed to the VM in this case.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48949.html
CVE-2022-48949
https://bugzilla.suse.com/1231897
SUSE Bug 1231897

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() The bounds checks in snd_soc_put_volsw_sx() are only being applied to the first channel, meaning it is possible to write out of bounds values to the second channel in stereo controls. Add appropriate checks.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48951.html
CVE-2022-48951
https://bugzilla.suse.com/1231929
SUSE Bug 1231929

Описание

In the Linux kernel, the following vulnerability has been resolved: rtc: cmos: Fix event handler registration ordering issue Because acpi_install_fixed_event_handler() enables the event automatically on success, it is incorrect to call it before the handler routine passed to it is ready to handle events. Unfortunately, the rtc-cmos driver does exactly the incorrect thing by calling cmos_wake_setup(), which passes rtc_handler() to acpi_install_fixed_event_handler(), before cmos_do_probe(), because rtc_handler() uses dev_get_drvdata() to get to the cmos object pointer and the driver data pointer is only populated in cmos_do_probe(). This leads to a NULL pointer dereference in rtc_handler() on boot if the RTC fixed event happens to be active at the init time. To address this issue, change the initialization ordering of the driver so that cmos_wake_setup() is always called after a successful cmos_do_probe() call. While at it, change cmos_pnp_probe() to call cmos_do_probe() after the initial if () statement used for computing the IRQ argument to be passed to cmos_do_probe() which is cleaner than calling it in each branch of that if () (local variable "irq" can be of type int, because it is passed to that function as an argument of type int). Note that commit 6492fed7d8c9 ("rtc: rtc-cmos: Do not check ACPI_FADT_LOW_POWER_S0") caused this issue to affect a larger number of systems, because previously it only affected systems with ACPI_FADT_LOW_POWER_S0 set, but it is present regardless of that commit.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48953.html
CVE-2022-48953
https://bugzilla.suse.com/1231941
SUSE Bug 1231941

Описание

In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix use-after-free in hsci KASAN found that addr was dereferenced after br2dev_event_work was freed. ================================================================== BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0x5ba/0x6b0 Read of size 1 at addr 00000000fdcea440 by task kworker/u760:4/540 CPU: 17 PID: 540 Comm: kworker/u760:4 Tainted: G E 6.1.0-20221128.rc7.git1.5aa3bed4ce83.300.fc36.s390x+kasan #1 Hardware name: IBM 8561 T01 703 (LPAR) Workqueue: 0.0.8000_event qeth_l2_br2dev_worker Call Trace: [<000000016944d4ce>] dump_stack_lvl+0xc6/0xf8 [<000000016942cd9c>] print_address_description.constprop.0+0x34/0x2a0 [<000000016942d118>] print_report+0x110/0x1f8 [<0000000167a7bd04>] kasan_report+0xfc/0x128 [<000000016938d79a>] qeth_l2_br2dev_worker+0x5ba/0x6b0 [<00000001673edd1e>] process_one_work+0x76e/0x1128 [<00000001673ee85c>] worker_thread+0x184/0x1098 [<000000016740718a>] kthread+0x26a/0x310 [<00000001672c606a>] __ret_from_fork+0x8a/0xe8 [<00000001694711da>] ret_from_fork+0xa/0x40 Allocated by task 108338: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 __kasan_kmalloc+0xa0/0xc0 qeth_l2_switchdev_event+0x25a/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Freed by task 540: kasan_save_stack+0x40/0x68 kasan_set_track+0x36/0x48 kasan_save_free_info+0x4c/0x68 ____kasan_slab_free+0x14e/0x1a8 __kasan_slab_free+0x24/0x30 __kmem_cache_free+0x168/0x338 qeth_l2_br2dev_worker+0x154/0x6b0 process_one_work+0x76e/0x1128 worker_thread+0x184/0x1098 kthread+0x26a/0x310 __ret_from_fork+0x8a/0xe8 ret_from_fork+0xa/0x40 Last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 insert_work+0x56/0x2e8 __queue_work+0x4ce/0xd10 queue_work_on+0xf4/0x100 qeth_l2_switchdev_event+0x520/0x738 atomic_notifier_call_chain+0x9c/0xf8 br_switchdev_fdb_notify+0xf4/0x110 fdb_notify+0x122/0x180 fdb_add_entry.constprop.0.isra.0+0x312/0x558 br_fdb_add+0x59e/0x858 rtnl_fdb_add+0x58a/0x928 rtnetlink_rcv_msg+0x5f8/0x8d8 netlink_rcv_skb+0x1f2/0x408 netlink_unicast+0x570/0x790 netlink_sendmsg+0x752/0xbe0 sock_sendmsg+0xca/0x110 ____sys_sendmsg+0x510/0x6a8 ___sys_sendmsg+0x12a/0x180 __sys_sendmsg+0xe6/0x168 __do_sys_socketcall+0x3c8/0x468 do_syscall+0x22c/0x328 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 Second to last potentially related work creation: kasan_save_stack+0x40/0x68 __kasan_record_aux_stack+0xbe/0xd0 kvfree_call_rcu+0xb2/0x760 kernfs_unlink_open_file+0x348/0x430 kernfs_fop_release+0xc2/0x320 __fput+0x1ae/0x768 task_work_run+0x1bc/0x298 exit_to_user_mode_prepare+0x1a0/0x1a8 __do_syscall+0x94/0xf0 system_call+0x82/0xb0 The buggy address belongs to the object at 00000000fdcea400 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 64 bytes inside of 96-byte region [00000000fdcea400, 00000000fdcea460) The buggy address belongs to the physical page: page:000000005a9c26e8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xfdcea flags: 0x3ffff00000000200(slab|node=0|zone=1|lastcpupid=0x1ffff) raw: 3ffff00000000200 0000000000000000 0000000100000122 000000008008cc00 raw: 0000000000000000 0020004100000000 ffffffff00000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: 00000000fdcea300: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc 00000000fdcea380: fb fb fb fb fb fb f ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48954.html
CVE-2022-48954
https://bugzilla.suse.com/1231972
SUSE Bug 1231972

Описание

In the Linux kernel, the following vulnerability has been resolved: net: thunderbolt: fix memory leak in tbnet_open() When tb_ring_alloc_rx() failed in tbnet_open(), ida that allocated in tb_xdomain_alloc_out_hopid() is not released. Add tb_xdomain_release_out_hopid() to the error path to release ida.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48955.html
CVE-2022-48955
https://bugzilla.suse.com/1231892
SUSE Bug 1231892

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid use-after-free in ip6_fragment() Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers. It seems to not be always true, at least for UDP stack. syzbot reported: BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline] BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618 CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x45d mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 ip6_dst_idev include/net/ip6_fib.h:245 [inline] ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951 __ip6_finish_output net/ipv6/ip6_output.c:193 [inline] ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206 NF_HOOK_COND include/linux/netfilter.h:291 [inline] ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227 dst_output include/net/dst.h:445 [inline] ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161 ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966 udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286 udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313 udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0xd3/0x120 net/socket.c:734 sock_write_iter+0x295/0x3d0 net/socket.c:1108 call_write_iter include/linux/fs.h:2191 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x9ed/0xdd0 fs/read_write.c:584 ksys_write+0x1ec/0x250 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fde3588c0d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9 RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000 </TASK> Allocated by task 7618: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook mm/slab.h:737 [inline] slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422 dst_alloc+0x14a/0x1f0 net/core/dst.c:92 ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344 ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline] rt6_make_pcpu_route net/ipv6/route.c:1417 [inline] ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254 pol_lookup_func include/net/ip6_fib.h:582 [inline] fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121 ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625 ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638 ip6_route_output include/net/ip6_route.h:98 [inline] ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092 ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222 ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260 udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554 inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665 sock_sendmsg_nosec n ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48956.html
CVE-2022-48956
https://bugzilla.suse.com/1231893
SUSE Bug 1231893
https://bugzilla.suse.com/1232799
SUSE Bug 1232799

Описание

In the Linux kernel, the following vulnerability has been resolved: dpaa2-switch: Fix memory leak in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove() The cmd_buff needs to be freed when error happened in dpaa2_switch_acl_entry_add() and dpaa2_switch_acl_entry_remove().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48957.html
CVE-2022-48957
https://bugzilla.suse.com/1231973
SUSE Bug 1231973

Описание

In the Linux kernel, the following vulnerability has been resolved: ethernet: aeroflex: fix potential skb leak in greth_init_rings() The greth_init_rings() function won't free the newly allocated skb when dma_mapping_error() returns error, so add dev_kfree_skb() to fix it. Compile tested only.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48958.html
CVE-2022-48958
https://bugzilla.suse.com/1231889
SUSE Bug 1231889

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: fix memory leak in sja1105_setup_devlink_regions() When dsa_devlink_region_create failed in sja1105_setup_devlink_regions(), priv->regions is not released.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48959.html
CVE-2022-48959
https://bugzilla.suse.com/1231976
SUSE Bug 1231976

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48960.html
CVE-2022-48960
https://bugzilla.suse.com/1231979
SUSE Bug 1231979
https://bugzilla.suse.com/1231980
SUSE Bug 1231980

Описание

In the Linux kernel, the following vulnerability has been resolved: net: mdio: fix unbalanced fwnode reference count in mdio_device_release() There is warning report about of_node refcount leak while probing mdio device: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /spi/soc@0/mdio@710700c0/ethernet@4 In of_mdiobus_register_device(), we increase fwnode refcount by fwnode_handle_get() before associating the of_node with mdio device, but it has never been decreased in normal path. Since that, in mdio_device_release(), it needs to call fwnode_handle_put() in addition instead of calling kfree() directly. After above, just calling mdio_device_free() in the error handle path of of_mdiobus_register_device() is enough to keep the refcount balanced.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48961.html
CVE-2022-48961
https://bugzilla.suse.com/1232108
SUSE Bug 1232108

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hisilicon: Fix potential use-after-free in hisi_femac_rx() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48962.html
CVE-2022-48962
https://bugzilla.suse.com/1232286
SUSE Bug 1232286
https://bugzilla.suse.com/1232801
SUSE Bug 1232801

Описание

In the Linux kernel, the following vulnerability has been resolved: net: mvneta: Prevent out of bounds read in mvneta_config_rss() The pp->indir[0] value comes from the user. It is passed to: if (cpu_online(pp->rxq_def)) inside the mvneta_percpu_elect() function. It needs bounds checkeding to ensure that it is not beyond the end of the cpu bitmap.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48966.html
CVE-2022-48966
https://bugzilla.suse.com/1232191
SUSE Bug 1232191

Описание

In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Bounds check struct nfc_target arrays While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) This appears to be a legitimate lack of bounds checking in nci_add_new_protocol(). Add the missing checks.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48967.html
CVE-2022-48967
https://bugzilla.suse.com/1232304
SUSE Bug 1232304
https://bugzilla.suse.com/1232306
SUSE Bug 1232306

Описание

In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential memory leak in otx2_init_tc() In otx2_init_tc(), if rhashtable_init() failed, it does not free tc->tc_entries_bitmap which is allocated in otx2_tc_alloc_ent_bitmap().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48968.html
CVE-2022-48968
https://bugzilla.suse.com/1232237
SUSE Bug 1232237

Описание

In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Fix NULL sring after live migration A NAPI is setup for each network sring to poll data to kernel The sring with source host is destroyed before live migration and new sring with target host is setup after live migration. The NAPI for the old sring is not deleted until setup new sring with target host after migration. With busy_poll/busy_read enabled, the NAPI can be polled before got deleted when resume VM. BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: xennet_poll+0xae/0xd20 PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI Call Trace: finish_task_switch+0x71/0x230 timerqueue_del+0x1d/0x40 hrtimer_try_to_cancel+0xb5/0x110 xennet_alloc_rx_buffers+0x2a0/0x2a0 napi_busy_loop+0xdb/0x270 sock_poll+0x87/0x90 do_sys_poll+0x26f/0x580 tracing_map_insert+0x1d4/0x2f0 event_hist_trigger+0x14a/0x260 finish_task_switch+0x71/0x230 __schedule+0x256/0x890 recalc_sigpending+0x1b/0x50 xen_sched_clock+0x15/0x20 __rb_reserve_next+0x12d/0x140 ring_buffer_lock_reserve+0x123/0x3d0 event_triggers_call+0x87/0xb0 trace_event_buffer_commit+0x1c4/0x210 xen_clocksource_get_cycles+0x15/0x20 ktime_get_ts64+0x51/0xf0 SyS_ppoll+0x160/0x1a0 SyS_ppoll+0x160/0x1a0 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x41/0xa6 ... RIP: xennet_poll+0xae/0xd20 RSP: ffffb4f041933900 CR2: 0000000000000008 ---[ end trace f8601785b354351c ]--- xen frontend should remove the NAPIs for the old srings before live migration as the bond srings are destroyed There is a tiny window between the srings are set to NULL and the NAPIs are disabled, It is safe as the NAPI threads are still frozen at that time

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48969.html
CVE-2022-48969
https://bugzilla.suse.com/1232026
SUSE Bug 1232026

Описание

In the Linux kernel, the following vulnerability has been resolved: af_unix: Get user_ns from in_skb in unix_diag_get_exact(). Wei Chen reported a NULL deref in sk_user_ns() [0][1], and Paolo diagnosed the root cause: in unix_diag_get_exact(), the newly allocated skb does not have sk. [2] We must get the user_ns from the NETLINK_CB(in_skb).sk and pass it to sk_diag_fill(). [0]: BUG: kernel NULL pointer dereference, address: 0000000000000270 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 12bbce067 P4D 12bbce067 PUD 12bc40067 PMD 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 27942 Comm: syz-executor.0 Not tainted 6.1.0-rc5-next-20221118 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014 RIP: 0010:sk_user_ns include/net/sock.h:920 [inline] RIP: 0010:sk_diag_dump_uid net/unix/diag.c:119 [inline] RIP: 0010:sk_diag_fill+0x77d/0x890 net/unix/diag.c:170 Code: 89 ef e8 66 d4 2d fd c7 44 24 40 00 00 00 00 49 8d 7c 24 18 e8 54 d7 2d fd 49 8b 5c 24 18 48 8d bb 70 02 00 00 e8 43 d7 2d fd <48> 8b 9b 70 02 00 00 48 8d 7b 10 e8 33 d7 2d fd 48 8b 5b 10 48 8d RSP: 0018:ffffc90000d67968 EFLAGS: 00010246 RAX: ffff88812badaa48 RBX: 0000000000000000 RCX: ffffffff840d481d RDX: 0000000000000465 RSI: 0000000000000000 RDI: 0000000000000270 RBP: ffffc90000d679a8 R08: 0000000000000277 R09: 0000000000000000 R10: 0001ffffffffffff R11: 0001c90000d679a8 R12: ffff88812ac03800 R13: ffff88812c87c400 R14: ffff88812ae42210 R15: ffff888103026940 FS: 00007f08b4e6f700(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000270 CR3: 000000012c58b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> unix_diag_get_exact net/unix/diag.c:285 [inline] unix_diag_handler_dump+0x3f9/0x500 net/unix/diag.c:317 __sock_diag_cmd net/core/sock_diag.c:235 [inline] sock_diag_rcv_msg+0x237/0x250 net/core/sock_diag.c:266 netlink_rcv_skb+0x13e/0x250 net/netlink/af_netlink.c:2564 sock_diag_rcv+0x24/0x40 net/core/sock_diag.c:277 netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline] netlink_unicast+0x5e9/0x6b0 net/netlink/af_netlink.c:1356 netlink_sendmsg+0x739/0x860 net/netlink/af_netlink.c:1932 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] ____sys_sendmsg+0x38f/0x500 net/socket.c:2476 ___sys_sendmsg net/socket.c:2530 [inline] __sys_sendmsg+0x197/0x230 net/socket.c:2559 __do_sys_sendmsg net/socket.c:2568 [inline] __se_sys_sendmsg net/socket.c:2566 [inline] __x64_sys_sendmsg+0x42/0x50 net/socket.c:2566 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x4697f9 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f08b4e6ec48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000077bf80 RCX: 00000000004697f9 RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 RBP: 00000000004d29e9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf80 R13: 0000000000000000 R14: 000000000077bf80 R15: 00007ffdb36bc6c0 </TASK> Modules linked in: CR2: 0000000000000270 [1]: https://lore.kernel.org/netdev/CAO4mrfdvyjFpokhNsiwZiP-wpdSD0AStcJwfKcKQdAALQ9_2Qw@mail.gmail.com/ [2]: https://lore.kernel.org/netdev/e04315e7c90d9a75613f3993c2baf2d344eef7eb.camel@redhat.com/

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48970.html
CVE-2022-48970
https://bugzilla.suse.com/1231887
SUSE Bug 1231887

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix not cleanup led when bt_init fails bt_init() calls bt_leds_init() to register led, but if it fails later, bt_leds_cleanup() is not called to unregister it. This can cause panic if the argument "bluetooth-power" in text is freed and then another led_trigger_register() tries to access it: BUG: unable to handle page fault for address: ffffffffc06d3bc0 RIP: 0010:strcmp+0xc/0x30 Call Trace: <TASK> led_trigger_register+0x10d/0x4f0 led_trigger_register_simple+0x7d/0x100 bt_init+0x39/0xf7 [bluetooth] do_one_initcall+0xd0/0x4e0

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48971.html
CVE-2022-48971
https://bugzilla.suse.com/1232037
SUSE Bug 1232037

Описание

In the Linux kernel, the following vulnerability has been resolved: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Kernel fault injection test reports null-ptr-deref as follows: BUG: kernel NULL pointer dereference, address: 0000000000000008 RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114 Call Trace: <TASK> raw_notifier_call_chain+0x6d/0xa0 kernel/notifier.c:87 call_netdevice_notifiers_info+0x6e/0xc0 net/core/dev.c:1944 unregister_netdevice_many_notify+0x60d/0xcb0 net/core/dev.c:1982 unregister_netdevice_queue+0x154/0x1a0 net/core/dev.c:10879 register_netdevice+0x9a8/0xb90 net/core/dev.c:10083 ieee802154_if_add+0x6ed/0x7e0 net/mac802154/iface.c:659 ieee802154_register_hw+0x29c/0x330 net/mac802154/main.c:229 mcr20a_probe+0xaaa/0xcb1 drivers/net/ieee802154/mcr20a.c:1316 ieee802154_if_add() allocates wpan_dev as netdev's private data, but not init the list in struct wpan_dev. cfg802154_netdev_notifier_call() manage the list when device register/unregister, and may lead to null-ptr-deref. Use INIT_LIST_HEAD() on it to initialize it correctly.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48972.html
CVE-2022-48972
https://bugzilla.suse.com/1232025
SUSE Bug 1232025

Описание

In the Linux kernel, the following vulnerability has been resolved: gpio: amd8111: Fix PCI device reference count leak for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() after the 'out' label. Since pci_dev_put() can handle NULL input parameter, there is no problem for the 'Device not found' branch. For the normal path, add pci_dev_put() in amd_gpio_exit().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48973.html
CVE-2022-48973
https://bugzilla.suse.com/1232039
SUSE Bug 1232039

Описание

In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix memory leak in gpiochip_setup_dev() Here is a backtrace report about memory leak detected in gpiochip_setup_dev(): unreferenced object 0xffff88810b406400 (size 512): comm "python3", pid 1682, jiffies 4295346908 (age 24.090s) backtrace: kmalloc_trace device_add device_private_init at drivers/base/core.c:3361 (inlined by) device_add at drivers/base/core.c:3411 cdev_device_add gpiolib_cdev_register gpiochip_setup_dev gpiochip_add_data_with_key gcdev_register() & gcdev_unregister() would call device_add() & device_del() (no matter CONFIG_GPIO_CDEV is enabled or not) to register/unregister device. However, if device_add() succeeds, some resource (like struct device_private allocated by device_private_init()) is not released by device_del(). Therefore, after device_add() succeeds by gcdev_register(), it needs to call put_device() to release resource in the error handle path. Here we move forward the register of release function, and let it release every piece of resource by put_device() instead of kfree(). While at it, fix another subtle issue, i.e. when gc->ngpio is equal to 0, we still call kcalloc() and, in case of further error, kfree() on the ZERO_PTR pointer, which is not NULL. It's not a bug per se, but rather waste of the resources and potentially wrong expectation about contents of the gdev->descs variable.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48975.html
CVE-2022-48975
https://bugzilla.suse.com/1231885
SUSE Bug 1231885

Описание

In the Linux kernel, the following vulnerability has been resolved: can: af_can: fix NULL pointer dereference in can_rcv_filter Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer dereference in can_rx_register()") we need to check for a missing initialization of ml_priv in the receive path of CAN frames. Since commit 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device") the check for dev->type to be ARPHRD_CAN is not sufficient anymore since bonding or tun netdevices claim to be CAN devices but do not initialize ml_priv accordingly.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48977.html
CVE-2022-48977
https://bugzilla.suse.com/1231883
SUSE Bug 1231883

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: core: fix shift-out-of-bounds in hid_report_raw_event Syzbot reported shift-out-of-bounds in hid_report_raw_event. microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0) ====================================================================== UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 shift exponent 127 is too large for 32-bit type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-rc4-syzkaller-00159-g4bbf3422df78 #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x3a6/0x420 lib/ubsan.c:322 snto32 drivers/hid/hid-core.c:1323 [inline] hid_input_fetch_field drivers/hid/hid-core.c:1572 [inline] hid_process_report drivers/hid/hid-core.c:1665 [inline] hid_report_raw_event+0xd56/0x18b0 drivers/hid/hid-core.c:1998 hid_input_report+0x408/0x4f0 drivers/hid/hid-core.c:2066 hid_irq_in+0x459/0x690 drivers/hid/usbhid/hid-core.c:284 __usb_hcd_giveback_urb+0x369/0x530 drivers/usb/core/hcd.c:1671 dummy_timer+0x86b/0x3110 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0xf5/0x210 kernel/time/timer.c:1474 expire_timers kernel/time/timer.c:1519 [inline] __run_timers+0x76a/0x980 kernel/time/timer.c:1790 run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1803 __do_softirq+0x277/0x75b kernel/softirq.c:571 __irq_exit_rcu+0xec/0x170 kernel/softirq.c:650 irq_exit_rcu+0x5/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1107 ====================================================================== If the size of the integer (unsigned n) is bigger than 32 in snto32(), shift exponent will be too large for 32-bit type 'int', resulting in a shift-out-of-bounds bug. Fix this by adding a check on the size of the integer (unsigned n) in snto32(). To add support for n greater than 32 bits, set n to 32, if n is greater than 32.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48978.html
CVE-2022-48978
https://bugzilla.suse.com/1232038
SUSE Bug 1232038

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix array index out of bound error in DCN32 DML [Why&How] LinkCapacitySupport array is indexed with the number of voltage states and not the number of max DPPs. Fix the error by changing the array declaration to use the correct (larger) array size of total number of voltage states.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48979.html
CVE-2022-48979
https://bugzilla.suse.com/1232293
SUSE Bug 1232293

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() The SJA1105 family has 45 L2 policing table entries (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but accounting for the difference in port count (5 in SJA1105 vs 10 in SJA1110) does not fully explain the difference. Rather, the SJA1110 also has L2 ingress policers for multicast traffic. If a packet is classified as multicast, it will be processed by the policer index 99 + SRCPORT. The sja1105_init_l2_policing() function initializes all L2 policers such that they don't interfere with normal packet reception by default. To have a common code between SJA1105 and SJA1110, the index of the multicast policer for the port is calculated because it's an index that is out of bounds for SJA1105 but in bounds for SJA1110, and a bounds check is performed. The code fails to do the proper thing when determining what to do with the multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The "mcast" index will be equal to 45, which is also equal to table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it passes through the check. But at the same time, SJA1105 doesn't have multicast policers. So the code programs the SHARINDX field of an out-of-bounds element in the L2 Policing table of the static config. The comparison between index 45 and 45 entries should have determined the code to not access this policer index on SJA1105, since its memory wasn't even allocated. With enough bad luck, the out-of-bounds write could even overwrite other valid kernel data, but in this case, the issue was detected using KASAN. Kernel log: sja1105 spi5.0: Probed switch chip: SJA1105Q ================================================================== BUG: KASAN: slab-out-of-bounds in sja1105_setup+0x1cbc/0x2340 Write of size 8 at addr ffffff880bd57708 by task kworker/u8:0/8 ... Workqueue: events_unbound deferred_probe_work_func Call trace: ... sja1105_setup+0x1cbc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ... Allocated by task 8: ... sja1105_setup+0x1bcc/0x2340 dsa_register_switch+0x1284/0x18d0 sja1105_probe+0x748/0x840 ...

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48980.html
CVE-2022-48980
https://bugzilla.suse.com/1232233
SUSE Bug 1232233

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48981.html
CVE-2022-48981
https://bugzilla.suse.com/1232229
SUSE Bug 1232229

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix crash when replugging CSR fake controllers It seems fake CSR 5.0 clones can cause the suspend notifier to be registered twice causing the following kernel panic: [ 71.986122] Call Trace: [ 71.986124] <TASK> [ 71.986125] blocking_notifier_chain_register+0x33/0x60 [ 71.986130] hci_register_dev+0x316/0x3d0 [bluetooth 99b5497ea3d09708fa1366c1dc03288bf3cca8da] [ 71.986154] btusb_probe+0x979/0xd85 [btusb e1e0605a4f4c01984a4b9c8ac58c3666ae287477] [ 71.986159] ? __pm_runtime_set_status+0x1a9/0x300 [ 71.986162] ? ktime_get_mono_fast_ns+0x3e/0x90 [ 71.986167] usb_probe_interface+0xe3/0x2b0 [ 71.986171] really_probe+0xdb/0x380 [ 71.986174] ? pm_runtime_barrier+0x54/0x90 [ 71.986177] __driver_probe_device+0x78/0x170 [ 71.986180] driver_probe_device+0x1f/0x90 [ 71.986183] __device_attach_driver+0x89/0x110 [ 71.986186] ? driver_allows_async_probing+0x70/0x70 [ 71.986189] bus_for_each_drv+0x8c/0xe0 [ 71.986192] __device_attach+0xb2/0x1e0 [ 71.986195] bus_probe_device+0x92/0xb0 [ 71.986198] device_add+0x422/0x9a0 [ 71.986201] ? sysfs_merge_group+0xd4/0x110 [ 71.986205] usb_set_configuration+0x57a/0x820 [ 71.986208] usb_generic_driver_probe+0x4f/0x70 [ 71.986211] usb_probe_device+0x3a/0x110 [ 71.986213] really_probe+0xdb/0x380 [ 71.986216] ? pm_runtime_barrier+0x54/0x90 [ 71.986219] __driver_probe_device+0x78/0x170 [ 71.986221] driver_probe_device+0x1f/0x90 [ 71.986224] __device_attach_driver+0x89/0x110 [ 71.986227] ? driver_allows_async_probing+0x70/0x70 [ 71.986230] bus_for_each_drv+0x8c/0xe0 [ 71.986232] __device_attach+0xb2/0x1e0 [ 71.986235] bus_probe_device+0x92/0xb0 [ 71.986237] device_add+0x422/0x9a0 [ 71.986239] ? _dev_info+0x7d/0x98 [ 71.986242] ? blake2s_update+0x4c/0xc0 [ 71.986246] usb_new_device.cold+0x148/0x36d [ 71.986250] hub_event+0xa8a/0x1910 [ 71.986255] process_one_work+0x1c4/0x380 [ 71.986259] worker_thread+0x51/0x390 [ 71.986262] ? rescuer_thread+0x3b0/0x3b0 [ 71.986264] kthread+0xdb/0x110 [ 71.986266] ? kthread_complete_and_exit+0x20/0x20 [ 71.986268] ret_from_fork+0x1f/0x30 [ 71.986273] </TASK> [ 71.986274] ---[ end trace 0000000000000000 ]--- [ 71.986284] btusb: probe of 2-1.6:1.0 failed with error -17

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48982.html
CVE-2022-48982
https://bugzilla.suse.com/1231978
SUSE Bug 1231978

Описание

In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() Syzkaller reports a NULL deref bug as follows: BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3 Read of size 4 at addr 0000000000000138 by task file1/1955 CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xcd/0x134 ? io_tctx_exit_cb+0x53/0xd3 kasan_report+0xbb/0x1f0 ? io_tctx_exit_cb+0x53/0xd3 kasan_check_range+0x140/0x190 io_tctx_exit_cb+0x53/0xd3 task_work_run+0x164/0x250 ? task_work_cancel+0x30/0x30 get_signal+0x1c3/0x2440 ? lock_downgrade+0x6e0/0x6e0 ? lock_downgrade+0x6e0/0x6e0 ? exit_signals+0x8b0/0x8b0 ? do_raw_read_unlock+0x3b/0x70 ? do_raw_spin_unlock+0x50/0x230 arch_do_signal_or_restart+0x82/0x2470 ? kmem_cache_free+0x260/0x4b0 ? putname+0xfe/0x140 ? get_sigframe_size+0x10/0x10 ? do_execveat_common.isra.0+0x226/0x710 ? lockdep_hardirqs_on+0x79/0x100 ? putname+0xfe/0x140 ? do_execveat_common.isra.0+0x238/0x710 exit_to_user_mode_prepare+0x15f/0x250 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x42/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0023:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 002b:00000000fffb7790 EFLAGS: 00000200 ORIG_RAX: 000000000000000b RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Kernel panic - not syncing: panic_on_warn set ... This happens because the adding of task_work from io_ring_exit_work() isn't synchronized with canceling all work items from eg exec. The execution of the two are ordered in that they are both run by the task itself, but if io_tctx_exit_cb() is queued while we're canceling all work items off exec AND gets executed when the task exits to userspace rather than in the main loop in io_uring_cancel_generic(), then we can find current->io_uring == NULL and hit the above crash. It's safe to add this NULL check here, because the execution of the two paths are done by the task itself. [axboe: add code comment and also put an explanation in the commit msg]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48983.html
CVE-2022-48983
https://bugzilla.suse.com/1231959
SUSE Bug 1231959

Описание

In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix race on per-CQ variable napi work_done After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be cleared, and another CPU can start napi thread and access per-CQ variable, cq->work_done. If the other thread (for example, from busy_poll) sets it to a value >= budget, this thread will continue to run when it should stop, and cause memory corruption and panic. To fix this issue, save the per-CQ work_done variable in a local variable before napi_complete_done(), so it won't be corrupted by a possible concurrent thread after napi_complete_done(). Also, add a flag bit to advertise to the NIC firmware: the NAPI work_done variable race is fixed, so the driver is able to reliably support features like busy_poll.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48985.html
CVE-2022-48985
https://bugzilla.suse.com/1231958
SUSE Bug 1231958

Описание

In the Linux kernel, the following vulnerability has been resolved: media: v4l2-dv-timings.c: fix too strict blanking sanity checks Sanity checks were added to verify the v4l2_bt_timings blanking fields in order to avoid integer overflows when userspace passes weird values. But that assumed that userspace would correctly fill in the front porch, backporch and sync values, but sometimes all you know is the total blanking, which is then assigned to just one of these fields. And that can fail with these checks. So instead set a maximum for the total horizontal and vertical blanking and check that each field remains below that. That is still sufficient to avoid integer overflows, but it also allows for more flexibility in how userspace fills in these fields.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48987.html
CVE-2022-48987
https://bugzilla.suse.com/1232067
SUSE Bug 1232067

Описание

In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memcg: remove cgroup_event->cft"), there was a call to __file_cft() which verified that the specified file is a regular cgroupfs file before further accesses. The cftype pointer returned from __file_cft() was no longer necessary and the commit inadvertently dropped the file type check with it allowing any file to slip through. With the invarients broken, the d_name and parent accesses can now race against renames and removals of arbitrary files and cause use-after-free's. Fix the bug by resurrecting the file type check in __file_cft(). Now that cgroupfs is implemented through kernfs, checking the file operations needs to go through a layer of indirection. Instead, let's check the superblock and dentry type.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48988.html
CVE-2022-48988
https://bugzilla.suse.com/1232069
SUSE Bug 1232069
https://bugzilla.suse.com/1232106
SUSE Bug 1232106

Описание

In the Linux kernel, the following vulnerability has been resolved: fscache: Fix oops due to race with cookie_lru and use_cookie If a cookie expires from the LRU and the LRU_DISCARD flag is set, but the state machine has not run yet, it's possible another thread can call fscache_use_cookie and begin to use it. When the cookie_worker finally runs, it will see the LRU_DISCARD flag set, transition the cookie->state to LRU_DISCARDING, which will then withdraw the cookie. Once the cookie is withdrawn the object is removed the below oops will occur because the object associated with the cookie is now NULL. Fix the oops by clearing the LRU_DISCARD bit if another thread uses the cookie before the cookie_worker runs. BUG: kernel NULL pointer dereference, address: 0000000000000008 ... CPU: 31 PID: 44773 Comm: kworker/u130:1 Tainted: G E 6.0.0-5.dneg.x86_64 #1 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Workqueue: events_unbound netfs_rreq_write_to_cache_work [netfs] RIP: 0010:cachefiles_prepare_write+0x28/0x90 [cachefiles] ... Call Trace: netfs_rreq_write_to_cache_work+0x11c/0x320 [netfs] process_one_work+0x217/0x3e0 worker_thread+0x4a/0x3b0 kthread+0xd6/0x100

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48989.html
CVE-2022-48989
https://bugzilla.suse.com/1232027
SUSE Bug 1232027

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free during gpu recovery [Why] [ 754.862560] refcount_t: underflow; use-after-free. [ 754.862898] Call Trace: [ 754.862903] <TASK> [ 754.862913] amdgpu_job_free_cb+0xc2/0xe1 [amdgpu] [ 754.863543] drm_sched_main.cold+0x34/0x39 [amd_sched] [How] The fw_fence may be not init, check whether dma_fence_init is performed before job free

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48990.html
CVE-2022-48990
https://bugzilla.suse.com/1232028
SUSE Bug 1232028
https://bugzilla.suse.com/1232029
SUSE Bug 1232029

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths Any codepath that zaps page table entries must invoke MMU notifiers to ensure that secondary MMUs (like KVM) don't keep accessing pages which aren't mapped anymore. Secondary MMUs don't hold their own references to pages that are mirrored over, so failing to notify them can lead to page use-after-free. I'm marking this as addressing an issue introduced in commit f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of the security impact of this only came in commit 27e1f8273113 ("khugepaged: enable collapse pmd for pte-mapped THP"), which actually omitted flushes for the removal of present PTEs, not just for the removal of empty page tables.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48991.html
CVE-2022-48991
https://bugzilla.suse.com/1232070
SUSE Bug 1232070
https://bugzilla.suse.com/1232372
SUSE Bug 1232372

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: soc-pcm: Add NULL check in BE reparenting Add NULL check in dpcm_be_reparent API, to handle kernel NULL pointer dereference error. The issue occurred in fuzzing test.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48992.html
CVE-2022-48992
https://bugzilla.suse.com/1232071
SUSE Bug 1232071

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. seq_copy_in_user() and seq_copy_in_kernel() did not have prototypes matching snd_seq_dump_func_t. Adjust this and remove the casts. There are not resulting binary output differences. This was found as a result of Clang's new -Wcast-function-type-strict flag, which is more sensitive than the simpler -Wcast-function-type, which only checks for type width mismatches.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48994.html
CVE-2022-48994
https://bugzilla.suse.com/1232119
SUSE Bug 1232119

Описание

In the Linux kernel, the following vulnerability has been resolved: Input: raydium_ts_i2c - fix memory leak in raydium_i2c_send() There is a kmemleak when test the raydium_i2c_ts with bpf mock device: unreferenced object 0xffff88812d3675a0 (size 8): comm "python3", pid 349, jiffies 4294741067 (age 95.695s) hex dump (first 8 bytes): 11 0e 10 c0 01 00 04 00 ........ backtrace: [<0000000068427125>] __kmalloc+0x46/0x1b0 [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts] [<000000006e631aee>] raydium_i2c_initialize.cold+0xbc/0x3e4 [raydium_i2c_ts] [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts] [<00000000a310de16>] i2c_device_probe+0x651/0x680 [<00000000f5a96bf3>] really_probe+0x17c/0x3f0 [<00000000096ba499>] __driver_probe_device+0xe3/0x170 [<00000000c5acb4d9>] driver_probe_device+0x49/0x120 [<00000000264fe082>] __device_attach_driver+0xf7/0x150 [<00000000f919423c>] bus_for_each_drv+0x114/0x180 [<00000000e067feca>] __device_attach+0x1e5/0x2d0 [<0000000054301fc2>] bus_probe_device+0x126/0x140 [<00000000aad93b22>] device_add+0x810/0x1130 [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0 [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110 [<00000000ffec4177>] of_i2c_notify+0x100/0x160 unreferenced object 0xffff88812d3675c8 (size 8): comm "python3", pid 349, jiffies 4294741070 (age 95.692s) hex dump (first 8 bytes): 22 00 36 2d 81 88 ff ff ".6-.... backtrace: [<0000000068427125>] __kmalloc+0x46/0x1b0 [<0000000090180f91>] raydium_i2c_send+0xd4/0x2bf [raydium_i2c_ts] [<000000001d5c9620>] raydium_i2c_initialize.cold+0x223/0x3e4 [raydium_i2c_ts] [<00000000dc6fcf38>] raydium_i2c_probe+0x3cd/0x6bc [raydium_i2c_ts] [<00000000a310de16>] i2c_device_probe+0x651/0x680 [<00000000f5a96bf3>] really_probe+0x17c/0x3f0 [<00000000096ba499>] __driver_probe_device+0xe3/0x170 [<00000000c5acb4d9>] driver_probe_device+0x49/0x120 [<00000000264fe082>] __device_attach_driver+0xf7/0x150 [<00000000f919423c>] bus_for_each_drv+0x114/0x180 [<00000000e067feca>] __device_attach+0x1e5/0x2d0 [<0000000054301fc2>] bus_probe_device+0x126/0x140 [<00000000aad93b22>] device_add+0x810/0x1130 [<00000000c086a53f>] i2c_new_client_device+0x352/0x4e0 [<000000003c2c248c>] of_i2c_register_device+0xf1/0x110 [<00000000ffec4177>] of_i2c_notify+0x100/0x160 After BANK_SWITCH command from i2c BUS, no matter success or error happened, the tx_buf should be freed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48995.html
CVE-2022-48995
https://bugzilla.suse.com/1232120
SUSE Bug 1232120

Описание

In the Linux kernel, the following vulnerability has been resolved: char: tpm: Protect tpm_pm_suspend with locks Currently tpm transactions are executed unconditionally in tpm_pm_suspend() function, which may lead to races with other tpm accessors in the system. Specifically, the hw_random tpm driver makes use of tpm_get_random(), and this function is called in a loop from a kthread, which means it's not frozen alongside userspace, and so can race with the work done during system suspend: tpm tpm0: tpm_transmit: tpm_recv: error -52 tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014 Call Trace: tpm_tis_status.cold+0x19/0x20 tpm_transmit+0x13b/0x390 tpm_transmit_cmd+0x20/0x80 tpm1_pm_suspend+0xa6/0x110 tpm_pm_suspend+0x53/0x80 __pnp_bus_suspend+0x35/0xe0 __device_suspend+0x10f/0x350 Fix this by calling tpm_try_get_ops(), which itself is a wrapper around tpm_chip_start(), but takes the appropriate mutex. [Jason: reworked commit message, added metadata]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48997.html
CVE-2022-48997
https://bugzilla.suse.com/1232035
SUSE Bug 1232035

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match: fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961 fib_table_delete+0x5f3/0xa40 linux-6.0-rc7/net/ipv4/fib_trie.c:1753 inet_rtm_delroute+0x2b3/0x380 linux-6.0-rc7/net/ipv4/fib_frontend.c:874 Separate nexthop objects are mutually exclusive with the legacy multipath spec. Fix fib_nh_match to return if the config for the to be deleted route contains a multipath spec while the fib_info is using a nexthop object.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-48999.html
CVE-2022-48999
https://bugzilla.suse.com/1231936
SUSE Bug 1231936

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix PCI device refcount leak in has_external_pci() for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() before 'return true' to avoid reference count leak.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49000.html
CVE-2022-49000
https://bugzilla.suse.com/1232123
SUSE Bug 1232123

Описание

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init() for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() for the error path to avoid reference count leak.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49002.html
CVE-2022-49002
https://bugzilla.suse.com/1232133
SUSE Bug 1232133

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme: fix SRCU protection of nvme_ns_head list Walking the nvme_ns_head siblings list is protected by the head's srcu in nvme_ns_head_submit_bio() but not nvme_mpath_revalidate_paths(). Removing namespaces from the list also fails to synchronize the srcu. Concurrent scan work can therefore cause use-after-frees. Hold the head's srcu lock in nvme_mpath_revalidate_paths() and synchronize with the srcu, not the global RCU, in nvme_ns_remove(). Observed the following panic when making NVMe/RDMA connections with native multipath on the Rocky Linux 8.6 kernel (it seems the upstream kernel has the same race condition). Disassembly shows the faulting instruction is cmp 0x50(%rdx),%rcx; computing capacity != get_capacity(ns->disk). Address 0x50 is dereferenced because ns->disk is NULL. The NULL disk appears to be the result of concurrent scan work freeing the namespace (note the log line in the middle of the panic). [37314.206036] BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 [37314.206036] nvme0n3: detected capacity change from 0 to 11811160064 [37314.299753] PGD 0 P4D 0 [37314.299756] Oops: 0000 [#1] SMP PTI [37314.299759] CPU: 29 PID: 322046 Comm: kworker/u98:3 Kdump: loaded Tainted: G W X --------- - - 4.18.0-372.32.1.el8test86.x86_64 #1 [37314.299762] Hardware name: Dell Inc. PowerEdge R720/0JP31P, BIOS 2.7.0 05/23/2018 [37314.299763] Workqueue: nvme-wq nvme_scan_work [nvme_core] [37314.299783] RIP: 0010:nvme_mpath_revalidate_paths+0x26/0xb0 [nvme_core] [37314.299790] Code: 1f 44 00 00 66 66 66 66 90 55 53 48 8b 5f 50 48 8b 83 c8 c9 00 00 48 8b 13 48 8b 48 50 48 39 d3 74 20 48 8d 42 d0 48 8b 50 20 <48> 3b 4a 50 74 05 f0 80 60 70 ef 48 8b 50 30 48 8d 42 d0 48 39 d3 [37315.058803] RSP: 0018:ffffabe28f913d10 EFLAGS: 00010202 [37315.121316] RAX: ffff927a077da800 RBX: ffff92991dd70000 RCX: 0000000001600000 [37315.206704] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff92991b719800 [37315.292106] RBP: ffff929a6b70c000 R08: 000000010234cd4a R09: c0000000ffff7fff [37315.377501] R10: 0000000000000001 R11: ffffabe28f913a30 R12: 0000000000000000 [37315.462889] R13: ffff92992716600c R14: ffff929964e6e030 R15: ffff92991dd70000 [37315.548286] FS: 0000000000000000(0000) GS:ffff92b87fb80000(0000) knlGS:0000000000000000 [37315.645111] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [37315.713871] CR2: 0000000000000050 CR3: 0000002208810006 CR4: 00000000000606e0 [37315.799267] Call Trace: [37315.828515] nvme_update_ns_info+0x1ac/0x250 [nvme_core] [37315.892075] nvme_validate_or_alloc_ns+0x2ff/0xa00 [nvme_core] [37315.961871] ? __blk_mq_free_request+0x6b/0x90 [37316.015021] nvme_scan_work+0x151/0x240 [nvme_core] [37316.073371] process_one_work+0x1a7/0x360 [37316.121318] ? create_worker+0x1a0/0x1a0 [37316.168227] worker_thread+0x30/0x390 [37316.212024] ? create_worker+0x1a0/0x1a0 [37316.258939] kthread+0x10a/0x120 [37316.297557] ? set_kthread_struct+0x50/0x50 [37316.347590] ret_from_fork+0x35/0x40 [37316.390360] Modules linked in: nvme_rdma nvme_tcp(X) nvme_fabrics nvme_core netconsole iscsi_tcp libiscsi_tcp dm_queue_length dm_service_time nf_conntrack_netlink br_netfilter bridge stp llc overlay nft_chain_nat ipt_MASQUERADE nf_nat xt_addrtype xt_CT nft_counter xt_state xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xt_comment xt_multiport nft_compat nf_tables libcrc32c nfnetlink dm_multipath tg3 rpcrdma sunrpc rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm intel_rapl_msr iTCO_wdt iTCO_vendor_support dcdbas intel_rapl_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel ipmi_ssif kvm irqbypass crct10dif_pclmul crc32_pclmul mlx5_ib ghash_clmulni_intel ib_uverbs rapl intel_cstate intel_uncore ib_core ipmi_si joydev mei_me pcspkr ipmi_devintf mei lpc_ich wmi ipmi_msghandler acpi_power_meter ex ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49003.html
CVE-2022-49003
https://bugzilla.suse.com/1232136
SUSE Bug 1232136
https://bugzilla.suse.com/1232139
SUSE Bug 1232139

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Fix bounds check for _sx controls For _sx controls the semantics of the max field is not the usual one, max is the number of steps rather than the maximum value. This means that our check in snd_soc_put_volsw_sx() needs to just check against the maximum value.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49005.html
CVE-2022-49005
https://bugzilla.suse.com/1232150
SUSE Bug 1232150

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing: Free buffers when a used dynamic event is removed After 65536 dynamic events have been added and removed, the "type" field of the event then uses the first type number that is available (not currently used by other events). A type number is the identifier of the binary blobs in the tracing ring buffer (known as events) to map them to logic that can parse the binary blob. The issue is that if a dynamic event (like a kprobe event) is traced and is in the ring buffer, and then that event is removed (because it is dynamic, which means it can be created and destroyed), if another dynamic event is created that has the same number that new event's logic on parsing the binary blob will be used. To show how this can be an issue, the following can crash the kernel: # cd /sys/kernel/tracing # for i in `seq 65536`; do echo 'p:kprobes/foo do_sys_openat2 $arg1:u32' > kprobe_events # done For every iteration of the above, the writing to the kprobe_events will remove the old event and create a new one (with the same format) and increase the type number to the next available on until the type number reaches over 65535 which is the max number for the 16 bit type. After it reaches that number, the logic to allocate a new number simply looks for the next available number. When an dynamic event is removed, that number is then available to be reused by the next dynamic event created. That is, once the above reaches the max number, the number assigned to the event in that loop will remain the same. Now that means deleting one dynamic event and created another will reuse the previous events type number. This is where bad things can happen. After the above loop finishes, the kprobes/foo event which reads the do_sys_openat2 function call's first parameter as an integer. # echo 1 > kprobes/foo/enable # cat /etc/passwd > /dev/null # cat trace cat-2211 [005] .... 2007.849603: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849620: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849838: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 cat-2211 [005] .... 2007.849880: foo: (do_sys_openat2+0x0/0x130) arg1=4294967196 # echo 0 > kprobes/foo/enable Now if we delete the kprobe and create a new one that reads a string: # echo 'p:kprobes/foo do_sys_openat2 +0($arg2):string' > kprobe_events And now we can the trace: # cat trace sendmail-1942 [002] ..... 530.136320: foo: (do_sys_openat2+0x0/0x240) arg1= cat-2046 [004] ..... 530.930817: foo: (do_sys_openat2+0x0/0x240) arg1="��" cat-2046 [004] ..... 530.930961: foo: (do_sys_openat2+0x0/0x240) arg1="��" cat-2046 [004] ..... 530.934278: foo: (do_sys_openat2+0x0/0x240) arg1="��" cat-2046 [004] ..... 530.934563: foo: (do_sys_openat2+0x0/0x240) arg1="�� ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49006.html
CVE-2022-49006
https://bugzilla.suse.com/1232163
SUSE Bug 1232163

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() Syzbot reported a null-ptr-deref bug: NILFS (loop0): segctord starting. Construction interval = 5 seconds, CP frequency < 30 seconds general protection fault, probably for non-canonical address 0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 1 PID: 3603 Comm: segctord Not tainted 6.1.0-rc2-syzkaller-00105-gb229b6ca5abb #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 RIP: 0010:nilfs_palloc_commit_free_entry+0xe5/0x6b0 fs/nilfs2/alloc.c:608 Code: 00 00 00 00 fc ff df 80 3c 02 00 0f 85 cd 05 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 73 08 49 8d 7e 10 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 05 00 00 49 8b 46 10 be a6 00 00 00 48 c7 c7 RSP: 0018:ffffc90003dff830 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: ffff88802594e218 RCX: 000000000000000d RDX: 0000000000000002 RSI: 0000000000002000 RDI: 0000000000000010 RBP: ffff888071880222 R08: 0000000000000005 R09: 000000000000003f R10: 000000000000000d R11: 0000000000000000 R12: ffff888071880158 R13: ffff88802594e220 R14: 0000000000000000 R15: 0000000000000004 FS: 0000000000000000(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb1c08316a8 CR3: 0000000018560000 CR4: 0000000000350ee0 Call Trace: <TASK> nilfs_dat_commit_free fs/nilfs2/dat.c:114 [inline] nilfs_dat_commit_end+0x464/0x5f0 fs/nilfs2/dat.c:193 nilfs_dat_commit_update+0x26/0x40 fs/nilfs2/dat.c:236 nilfs_btree_commit_update_v+0x87/0x4a0 fs/nilfs2/btree.c:1940 nilfs_btree_commit_propagate_v fs/nilfs2/btree.c:2016 [inline] nilfs_btree_propagate_v fs/nilfs2/btree.c:2046 [inline] nilfs_btree_propagate+0xa00/0xd60 fs/nilfs2/btree.c:2088 nilfs_bmap_propagate+0x73/0x170 fs/nilfs2/bmap.c:337 nilfs_collect_file_data+0x45/0xd0 fs/nilfs2/segment.c:568 nilfs_segctor_apply_buffers+0x14a/0x470 fs/nilfs2/segment.c:1018 nilfs_segctor_scan_file+0x3f4/0x6f0 fs/nilfs2/segment.c:1067 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1197 [inline] nilfs_segctor_collect fs/nilfs2/segment.c:1503 [inline] nilfs_segctor_do_construct+0x12fc/0x6af0 fs/nilfs2/segment.c:2045 nilfs_segctor_construct+0x8e3/0xb30 fs/nilfs2/segment.c:2379 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2487 [inline] nilfs_segctor_thread+0x3c3/0xf30 fs/nilfs2/segment.c:2570 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 </TASK> ... If DAT metadata file is corrupted on disk, there is a case where req->pr_desc_bh is NULL and blocknr is 0 at nilfs_dat_commit_end() during a b-tree operation that cascadingly updates ancestor nodes of the b-tree, because nilfs_dat_commit_alloc() for a lower level block can initialize the blocknr on the same DAT entry between nilfs_dat_prepare_end() and nilfs_dat_commit_end(). If this happens, nilfs_dat_commit_end() calls nilfs_dat_commit_free() without valid buffer heads in req->pr_desc_bh and req->pr_bitmap_bh, and causes the NULL pointer dereference above in nilfs_palloc_commit_free_entry() function, which leads to a crash. Fix this by adding a NULL check on req->pr_desc_bh and req->pr_bitmap_bh before nilfs_palloc_commit_free_entry() in nilfs_dat_commit_free(). This also calls nilfs_error() in that case to notify that there is a fatal flaw in the filesystem metadata and prevent further operations.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49007.html
CVE-2022-49007
https://bugzilla.suse.com/1232170
SUSE Bug 1232170

Описание

In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) Check for null before removing sysfs attrs If coretemp_add_core() gets an error then pdata->core_data[indx] is already NULL and has been kfreed. Don't pass that to sysfs_remove_group() as that will crash in sysfs_remove_group(). [Shortened for readability] [91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label' <cpu offline> [91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 [91855.165103] #PF: supervisor read access in kernel mode [91855.194506] #PF: error_code(0x0000) - not-present page [91855.224445] PGD 0 P4D 0 [91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI ... [91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80 ... [91855.796571] Call Trace: [91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp] [91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp] [91855.871107] cpuhp_invoke_callback+0x105/0x4b0 [91855.893432] cpuhp_thread_fun+0x8e/0x150 ... Fix this by checking for NULL first.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49010.html
CVE-2022-49010
https://bugzilla.suse.com/1232172
SUSE Bug 1232172

Описание

In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So call it after using to avoid refcount leak.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49011.html
CVE-2022-49011
https://bugzilla.suse.com/1232006
SUSE Bug 1232006

Описание

In the Linux kernel, the following vulnerability has been resolved: afs: Fix server->active leak in afs_put_server The atomic_read was accidentally replaced with atomic_inc_return, which prevents the server from getting cleaned up and causes rmmod to hang with a warning: Can't purge s=00000001

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49012.html
CVE-2022-49012
https://bugzilla.suse.com/1232005
SUSE Bug 1232005

Описание

In the Linux kernel, the following vulnerability has been resolved: net: tun: Fix use-after-free in tun_detach() syzbot reported use-after-free in tun_detach() [1]. This causes call trace like below: ================================================================== BUG: KASAN: use-after-free in notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 Read of size 8 at addr ffff88807324e2a8 by task syz-executor.0/3673 CPU: 0 PID: 3673 Comm: syz-executor.0 Not tainted 6.1.0-rc5-syzkaller-00044-gcc675d22e422 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x15e/0x461 mm/kasan/report.c:395 kasan_report+0xbf/0x1f0 mm/kasan/report.c:495 notifier_call_chain+0x1ee/0x200 kernel/notifier.c:75 call_netdevice_notifiers_info+0x86/0x130 net/core/dev.c:1942 call_netdevice_notifiers_extack net/core/dev.c:1983 [inline] call_netdevice_notifiers net/core/dev.c:1997 [inline] netdev_wait_allrefs_any net/core/dev.c:10237 [inline] netdev_run_todo+0xbc6/0x1100 net/core/dev.c:10351 tun_detach drivers/net/tun.c:704 [inline] tun_chr_close+0xe4/0x190 drivers/net/tun.c:3467 __fput+0x27c/0xa90 fs/file_table.c:320 task_work_run+0x16f/0x270 kernel/task_work.c:179 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0xb3d/0x2a30 kernel/exit.c:820 do_group_exit+0xd4/0x2a0 kernel/exit.c:950 get_signal+0x21b1/0x2440 kernel/signal.c:2858 arch_do_signal_or_restart+0x86/0x2300 arch/x86/kernel/signal.c:869 exit_to_user_mode_loop kernel/entry/common.c:168 [inline] exit_to_user_mode_prepare+0x15f/0x250 kernel/entry/common.c:203 __syscall_exit_to_user_mode_work kernel/entry/common.c:285 [inline] syscall_exit_to_user_mode+0x1d/0x50 kernel/entry/common.c:296 do_syscall_64+0x46/0xb0 arch/x86/entry/common.c:86 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that sock_put() from __tun_detach() drops last reference count for struct net, and then notifier_call_chain() from netdev_state_change() accesses that struct net. This patch fixes the issue by calling sock_put() from tun_detach() after all necessary accesses for the struct net has done.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49014.html
CVE-2022-49014
https://bugzilla.suse.com/1231890
SUSE Bug 1231890
https://bugzilla.suse.com/1232818
SUSE Bug 1232818

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hsr: Fix potential use-after-free The skb is delivered to netif_rx() which may free it, after calling this, dereferencing skb may trigger use-after-free.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49015.html
CVE-2022-49015
https://bugzilla.suse.com/1231938
SUSE Bug 1231938
https://bugzilla.suse.com/1233021
SUSE Bug 1233021

Описание

In the Linux kernel, the following vulnerability has been resolved: net: mdiobus: fix unbalanced node reference count I got the following report while doing device(mscc-miim) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /spi/soc@0/mdio@7107009c/ethernet-phy@0 If the 'fwnode' is not an acpi node, the refcount is get in fwnode_mdiobus_phy_device_register(), but it has never been put when the device is freed in the normal path. So call fwnode_handle_put() in phy_device_release() to avoid leak. If it's an acpi node, it has never been get, but it's put in the error path, so call fwnode_handle_get() before phy_device_register() to keep get/put operation balanced.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49016.html
CVE-2022-49016
https://bugzilla.suse.com/1231937
SUSE Bug 1231937

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: re-fetch skb cb after tipc_msg_validate As the call trace shows, the original skb was freed in tipc_msg_validate(), and dereferencing the old skb cb would cause an use-after-free crash. BUG: KASAN: use-after-free in tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] Call Trace: <IRQ> tipc_crypto_rcv_complete+0x1835/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] ... Allocated by task 47078: kmem_cache_alloc_node+0x158/0x4d0 __alloc_skb+0x1c1/0x270 tipc_buf_acquire+0x1e/0xe0 [tipc] tipc_msg_create+0x33/0x1c0 [tipc] tipc_link_build_proto_msg+0x38a/0x2100 [tipc] tipc_link_timeout+0x8b8/0xef0 [tipc] tipc_node_timeout+0x2a1/0x960 [tipc] call_timer_fn+0x2d/0x1c0 ... Freed by task 47078: tipc_msg_validate+0x7b/0x440 [tipc] tipc_crypto_rcv_complete+0x4b5/0x2240 [tipc] tipc_crypto_rcv+0xd32/0x1ec0 [tipc] tipc_rcv+0x744/0x1150 [tipc] This patch fixes it by re-fetching the skb cb from the new allocated skb after calling tipc_msg_validate().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49017.html
CVE-2022-49017
https://bugzilla.suse.com/1232004
SUSE Bug 1232004

Описание

In the Linux kernel, the following vulnerability has been resolved: net: ethernet: nixge: fix NULL dereference In function nixge_hw_dma_bd_release() dereference of NULL pointer priv->rx_bd_v is possible for the case of its allocation failure in nixge_hw_dma_bd_init(). Move for() loop with priv->rx_bd_v dereference under the check for its validity. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49019.html
CVE-2022-49019
https://bugzilla.suse.com/1231940
SUSE Bug 1231940

Описание

In the Linux kernel, the following vulnerability has been resolved: net/9p: Fix a potential socket leak in p9_socket_open Both p9_fd_create_tcp() and p9_fd_create_unix() will call p9_socket_open(). If the creation of p9_trans_fd fails, p9_fd_create_tcp() and p9_fd_create_unix() will return an error directly instead of releasing the cscoket, which will result in a socket leak. This patch adds sock_release() to fix the leak issue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49020.html
CVE-2022-49020
https://bugzilla.suse.com/1232175
SUSE Bug 1232175

Описание

In the Linux kernel, the following vulnerability has been resolved: net: phy: fix null-ptr-deref while probe() failed I got a null-ptr-deref report as following when doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:klist_put+0x2d/0xd0 Call Trace: <TASK> klist_remove+0xf1/0x1c0 device_release_driver_internal+0x23e/0x2d0 bus_remove_device+0x1bd/0x240 device_del+0x357/0x770 phy_device_remove+0x11/0x30 mdiobus_unregister+0xa5/0x140 release_nodes+0x6a/0xa0 devres_release_all+0xf8/0x150 device_unbind_cleanup+0x19/0xd0 //probe path: phy_device_register() device_add() phy_connect phy_attach_direct() //set device driver probe() //it's failed, driver is not bound device_bind_driver() // probe failed, it's not called //remove path: phy_device_remove() device_del() device_release_driver_internal() __device_release_driver() //dev->drv is not NULL klist_remove() <- knode_driver is not added yet, cause null-ptr-deref In phy_attach_direct(), after setting the 'dev->driver', probe() fails, device_bind_driver() is not called, so the knode_driver->n_klist is not set, then it causes null-ptr-deref in __device_release_driver() while deleting device. Fix this by setting dev->driver to NULL in the error path in phy_attach_direct().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49021.html
CVE-2022-49021
https://bugzilla.suse.com/1231939
SUSE Bug 1231939

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration Fix possible out-of-bound access in ieee80211_get_rate_duration routine as reported by the following UBSAN report: UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47 index 15 is out of range for type 'u16 [12]' CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017 Workqueue: mt76 mt76u_tx_status_data [mt76_usb] Call Trace: <TASK> show_stack+0x4e/0x61 dump_stack_lvl+0x4a/0x6f dump_stack+0x10/0x18 ubsan_epilogue+0x9/0x43 __ubsan_handle_out_of_bounds.cold+0x42/0x47 ieee80211_get_rate_duration.constprop.0+0x22f/0x2a0 [mac80211] ? ieee80211_tx_status_ext+0x32e/0x640 [mac80211] ieee80211_calc_rx_airtime+0xda/0x120 [mac80211] ieee80211_calc_tx_airtime+0xb4/0x100 [mac80211] mt76x02_send_tx_status+0x266/0x480 [mt76x02_lib] mt76x02_tx_status_data+0x52/0x80 [mt76x02_lib] mt76u_tx_status_data+0x67/0xd0 [mt76_usb] process_one_work+0x225/0x400 worker_thread+0x50/0x3e0 ? process_one_work+0x400/0x400 kthread+0xe9/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49022.html
CVE-2022-49022
https://bugzilla.suse.com/1231962
SUSE Bug 1231962

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix buffer overflow in elem comparison For vendor elements, the code here assumes that 5 octets are present without checking. Since the element itself is already checked to fit, we only need to check the length.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49023.html
CVE-2022-49023
https://bugzilla.suse.com/1231961
SUSE Bug 1231961
https://bugzilla.suse.com/1233022
SUSE Bug 1233022

Описание

In the Linux kernel, the following vulnerability has been resolved: can: m_can: pci: add missing m_can_class_free_dev() in probe/remove methods In m_can_pci_remove() and error handling path of m_can_pci_probe(), m_can_class_free_dev() should be called to free resource allocated by m_can_class_allocate_dev(), otherwise there will be memleak.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49024.html
CVE-2022-49024
https://bugzilla.suse.com/1232001
SUSE Bug 1232001

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix use-after-free when reverting termination table When having multiple dests with termination tables and second one or afterwards fails the driver reverts usage of term tables but doesn't reset the assignment in attr->dests[num_vport_dests].termtbl which case a use-after-free when releasing the rule. Fix by resetting the assignment of termtbl to null.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49025.html
CVE-2022-49025
https://bugzilla.suse.com/1231960
SUSE Bug 1231960
https://bugzilla.suse.com/1233023
SUSE Bug 1233023

Описание

In the Linux kernel, the following vulnerability has been resolved: e100: Fix possible use after free in e100_xmit_prepare In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will resend the skb. But the skb is already freed, which will cause UAF bug when the upper layer resends the skb. Remove the harmful free.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49026.html
CVE-2022-49026
https://bugzilla.suse.com/1231997
SUSE Bug 1231997

Описание

In the Linux kernel, the following vulnerability has been resolved: iavf: Fix error handling in iavf_init_module() The iavf_init_module() won't destroy workqueue when pci_register_driver() failed. Call destroy_workqueue() when pci_register_driver() failed to prevent the resource leak. Similar to the handling of u132_hcd_init in commit f276e002793c ("usb: u132-hcd: fix resource leak")

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49027.html
CVE-2022-49027
https://bugzilla.suse.com/1232007
SUSE Bug 1232007

Описание

In the Linux kernel, the following vulnerability has been resolved: ixgbevf: Fix resource leak in ixgbevf_init_module() ixgbevf_init_module() won't destroy the workqueue created by create_singlethread_workqueue() when pci_register_driver() failed. Add destroy_workqueue() in fail path to prevent the resource leak. Similar to the handling of u132_hcd_init in commit f276e002793c ("usb: u132-hcd: fix resource leak")

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49028.html
CVE-2022-49028
https://bugzilla.suse.com/1231996
SUSE Bug 1231996

Описание

In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails Smatch report warning as follows: drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: '&data->list' not removed from list If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will be freed, but data->list will not be removed from driver_data.bmc_data, then list traversal may cause UAF. Fix by removeing it from driver_data.bmc_data before free().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49029.html
CVE-2022-49029
https://bugzilla.suse.com/1231995
SUSE Bug 1231995

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4403: Fix oob read in afe4403_read_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 Read of size 4 at addr ffffffffc02ac638 by task cat/279 Call Trace: afe4403_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4403_channel_leds+0x18/0xffffffffffffe9e0 This issue can be reproduced by singe command: $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw The array size of afe4403_channel_leds is less than channels, so access with chan->address cause OOB read in afe4403_read_raw. Fix it by moving access before use it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49031.html
CVE-2022-49031
https://bugzilla.suse.com/1231992
SUSE Bug 1231992

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 Read of size 4 at addr ffffffffc00e4658 by task cat/278 Call Trace: afe4404_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4404_channel_leds+0x18/0xffffffffffffe9c0 This issue can be reproduce by singe command: $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw The array size of afe4404_channel_leds and afe4404_channel_offdacs are less than channels, so access with chan->address cause OOB read in afe4404_[read|write]_raw. Fix it by moving access before use them.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2022-49032.html
CVE-2022-49032
https://bugzilla.suse.com/1231991
SUSE Bug 1231991

Описание

A null pointer dereference issue was found in can protocol in net/can/af_can.c in the Linux before Linux. ml_priv may not be initialized in the receive path of CAN frames. A local user could use this flaw to crash the system or potentially cause a denial of service.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-2166.html
CVE-2023-2166
https://bugzilla.suse.com/1210627
SUSE Bug 1210627

Описание

A NULL pointer dereference flaw was found in the UNIX protocol in net/unix/diag.c In unix_diag_get_exact in the Linux Kernel. The newly allocated skb does not have sk, leading to a NULL pointer. This flaw allows a local user to crash or potentially cause a denial of service.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-28327.html
CVE-2023-28327
https://bugzilla.suse.com/1209290
SUSE Bug 1209290

Описание

In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Fix out of bounds access in hci_dma_irq_handler Do not loop over ring headers in hci_dma_irq_handler() that are not allocated and enabled in hci_dma_init(). Otherwise out of bounds access will occur from rings->headers[i] access when i >= number of allocated ring headers.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52766.html
CVE-2023-52766
https://bugzilla.suse.com/1230620
SUSE Bug 1230620

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix htt pktlog locking The ath11k active pdevs are protected by RCU but the htt pktlog handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a read-side critical section. Mark the code in question as an RCU read-side critical section to avoid any potential use-after-free issues. Compile tested only.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52800.html
CVE-2023-52800
https://bugzilla.suse.com/1230600
SUSE Bug 1230600

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp: do not accept ACK of bytes we never sent This patch is based on a detailed report and ideas from Yepeng Pan and Christian Rossow. ACK seq validation is currently following RFC 5961 5.2 guidelines: The ACK value is considered acceptable only if it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT). All incoming segments whose ACK value doesn't satisfy the above condition MUST be discarded and an ACK sent back. It needs to be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an ACK, drop the segment, and return". The "ignored" above implies that the processing of the incoming data segment continues, which means the ACK value is treated as acceptable. This mitigation makes the ACK check more stringent since any ACK < SND.UNA wouldn't be accepted, instead only ACKs that are in the range ((SND.UNA - MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through. This can be refined for new (and possibly spoofed) flows, by not accepting ACK for bytes that were never sent. This greatly improves TCP security at a little cost. I added a Fixes: tag to make sure this patch will reach stable trees, even if the 'blamed' patch was adhering to the RFC. tp->bytes_acked was added in linux-4.2 Following packetdrill test (courtesy of Yepeng Pan) shows the issue at hand: 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1024) = 0 // ---------------- Handshake ------------------- // // when window scale is set to 14 the window size can be extended to // 65535 * (2^14) = 1073725440. Linux would accept an ACK packet // with ack number in (Server_ISN+1-1073725440. Server_ISN+1) // ,though this ack number acknowledges some data never // sent by the server. +0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14> +0 > S. 0:0(0) ack 1 <...> +0 < . 1:1(0) ack 1 win 65535 +0 accept(3, ..., ...) = 4 // For the established connection, we send an ACK packet, // the ack packet uses ack number 1 - 1073725300 + 2^32, // where 2^32 is used to wrap around. // Note: we used 1073725300 instead of 1073725440 to avoid possible // edge cases. // 1 - 1073725300 + 2^32 = 3221241997 // Oops, old kernels happily accept this packet. +0 < . 1:1001(1000) ack 3221241997 win 65535 // After the kernel fix the following will be replaced by a challenge ACK, // and prior malicious frame would be dropped. +0 > . 1:1(0) ack 1001

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52881.html
CVE-2023-52881
https://bugzilla.suse.com/1223384
SUSE Bug 1223384
https://bugzilla.suse.com/1225611
SUSE Bug 1225611
https://bugzilla.suse.com/1226152
SUSE Bug 1226152

Описание

In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()")

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52915.html
CVE-2023-52915
https://bugzilla.suse.com/1230270
SUSE Bug 1230270

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52917.html
CVE-2023-52917
https://bugzilla.suse.com/1231849
SUSE Bug 1231849

Описание

In the Linux kernel, the following vulnerability has been resolved: media: pci: cx23885: check cx23885_vdev_init() return cx23885_vdev_init() can return a NULL pointer, but that pointer is used in the next line without a check. Add a NULL pointer check and go to the error unwind if it is NULL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52918.html
CVE-2023-52918
https://bugzilla.suse.com/1232047
SUSE Bug 1232047

Описание

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix possible NULL pointer dereference in send_acknowledge() Handle memory allocation failure from nci_skb_alloc() (calling alloc_skb()) to avoid possible NULL pointer dereference.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52919.html
CVE-2023-52919
https://bugzilla.suse.com/1231988
SUSE Bug 1231988

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix possible UAF in amdgpu_cs_pass1() Since the gang_size check is outside of chunk parsing loop, we need to reset i before we free the chunk data. Suggested by Ye Zhang (@VAR10CK) of Baidu Security.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52921.html
CVE-2023-52921
https://bugzilla.suse.com/1233452
SUSE Bug 1233452

Описание

In the Linux kernel, the following vulnerability has been resolved: can: bcm: Fix UAF in bcm_proc_show() BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-52922.html
CVE-2023-52922
https://bugzilla.suse.com/1233977
SUSE Bug 1233977

Описание

A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2023-6270.html
CVE-2023-6270
https://bugzilla.suse.com/1218562
SUSE Bug 1218562
https://bugzilla.suse.com/1218813
SUSE Bug 1218813
https://bugzilla.suse.com/1221578
SUSE Bug 1221578
https://bugzilla.suse.com/1221598
SUSE Bug 1221598
https://bugzilla.suse.com/1223016
SUSE Bug 1223016
https://bugzilla.suse.com/1227675
SUSE Bug 1227675

Описание

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix double-free on socket dismantle when MPTCP server accepts an incoming connection, it clones its listener socket. However, the pointer to 'inet_opt' for the new socket has the same value as the original one: as a consequence, on program exit it's possible to observe the following splat: BUG: KASAN: double-free in inet_sock_destruct+0x54f/0x8b0 Free of addr ffff888485950880 by task swapper/25/0 CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Not tainted 6.8.0-rc1+ #609 Hardware name: Supermicro SYS-6027R-72RF/X9DRH-7TF/7F/iTF/iF, BIOS 3.0 07/26/2013 Call Trace: <IRQ> dump_stack_lvl+0x32/0x50 print_report+0xca/0x620 kasan_report_invalid_free+0x64/0x90 __kasan_slab_free+0x1aa/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 rcu_do_batch+0x34e/0xd90 rcu_core+0x559/0xac0 __do_softirq+0x183/0x5a4 irq_exit_rcu+0x12d/0x170 sysvec_apic_timer_interrupt+0x6b/0x80 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x16/0x20 RIP: 0010:cpuidle_enter_state+0x175/0x300 Code: 30 00 0f 84 1f 01 00 00 83 e8 01 83 f8 ff 75 e5 48 83 c4 18 44 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc fb 45 85 ed <0f> 89 60 ff ff ff 48 c1 e5 06 48 c7 43 18 00 00 00 00 48 83 44 2b RSP: 0018:ffff888481cf7d90 EFLAGS: 00000202 RAX: 0000000000000000 RBX: ffff88887facddc8 RCX: 0000000000000000 RDX: 1ffff1110ff588b1 RSI: 0000000000000019 RDI: ffff88887fac4588 RBP: 0000000000000004 R08: 0000000000000002 R09: 0000000000043080 R10: 0009b02ea273363f R11: ffff88887fabf42b R12: ffffffff932592e0 R13: 0000000000000004 R14: 0000000000000000 R15: 00000022c880ec80 cpuidle_enter+0x4a/0xa0 do_idle+0x310/0x410 cpu_startup_entry+0x51/0x60 start_secondary+0x211/0x270 secondary_startup_64_no_verify+0x184/0x18b </TASK> Allocated by task 6853: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 __kmalloc+0x1eb/0x450 cipso_v4_sock_setattr+0x96/0x360 netlbl_sock_setattr+0x132/0x1f0 selinux_netlbl_socket_post_create+0x6c/0x110 selinux_socket_post_create+0x37b/0x7f0 security_socket_post_create+0x63/0xb0 __sock_create+0x305/0x450 __sys_socket_create.part.23+0xbd/0x130 __sys_socket+0x37/0xb0 __x64_sys_socket+0x6f/0xb0 do_syscall_64+0x83/0x160 entry_SYSCALL_64_after_hwframe+0x6e/0x76 Freed by task 6858: kasan_save_stack+0x1c/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x12c/0x1f0 kfree+0xed/0x2e0 inet_sock_destruct+0x54f/0x8b0 __sk_destruct+0x48/0x5b0 subflow_ulp_release+0x1f0/0x250 tcp_cleanup_ulp+0x6e/0x110 tcp_v4_destroy_sock+0x5a/0x3a0 inet_csk_destroy_sock+0x135/0x390 tcp_fin+0x416/0x5c0 tcp_data_queue+0x1bc8/0x4310 tcp_rcv_state_process+0x15a3/0x47b0 tcp_v4_do_rcv+0x2c1/0x990 tcp_v4_rcv+0x41fb/0x5ed0 ip_protocol_deliver_rcu+0x6d/0x9f0 ip_local_deliver_finish+0x278/0x360 ip_local_deliver+0x182/0x2c0 ip_rcv+0xb5/0x1c0 __netif_receive_skb_one_core+0x16e/0x1b0 process_backlog+0x1e3/0x650 __napi_poll+0xa6/0x500 net_rx_action+0x740/0xbb0 __do_softirq+0x183/0x5a4 The buggy address belongs to the object at ffff888485950880 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 0 bytes inside of 64-byte region [ffff888485950880, ffff8884859508c0) The buggy address belongs to the physical page: page:0000000056d1e95e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888485950700 pfn:0x485950 flags: 0x57ffffc0000800(slab|node=1|zone=2|lastcpupid=0x1fffff) page_type: 0xffffffff() raw: 0057ffffc0000800 ffff88810004c640 ffffea00121b8ac0 dead000000000006 raw: ffff888485950700 0000000000200019 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888485950780: fa fb fb ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26782.html
CVE-2024-26782
https://bugzilla.suse.com/1222590
SUSE Bug 1222590

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: <TASK> ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26906.html
CVE-2024-26906
https://bugzilla.suse.com/1223202
SUSE Bug 1223202

Описание

In the Linux kernel, the following vulnerability has been resolved: net: esp: fix bad handling of pages from page_pool When the skb is reorganized during esp_output (!esp->inline), the pages coming from the original skb fragments are supposed to be released back to the system through put_page. But if the skb fragment pages are originating from a page_pool, calling put_page on them will trigger a page_pool leak which will eventually result in a crash. This leak can be easily observed when using CONFIG_DEBUG_VM and doing ipsec + gre (non offloaded) forwarding: BUG: Bad page state in process ksoftirqd/16 pfn:1451b6 page:00000000de2b8d32 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1451b6000 pfn:0x1451b6 flags: 0x200000000000000(node=0|zone=2) page_type: 0xffffffff() raw: 0200000000000000 dead000000000040 ffff88810d23c000 0000000000000000 raw: 00000001451b6000 0000000000000001 00000000ffffffff 0000000000000000 page dumped because: page_pool leak Modules linked in: ip_gre gre mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink iptable_nat nf_nat xt_addrtype br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm ib_uverbs ib_core overlay zram zsmalloc fuse [last unloaded: mlx5_core] CPU: 16 PID: 96 Comm: ksoftirqd/16 Not tainted 6.8.0-rc4+ #22 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x36/0x50 bad_page+0x70/0xf0 free_unref_page_prepare+0x27a/0x460 free_unref_page+0x38/0x120 esp_ssg_unref.isra.0+0x15f/0x200 esp_output_tail+0x66d/0x780 esp_xmit+0x2c5/0x360 validate_xmit_xfrm+0x313/0x370 ? validate_xmit_skb+0x1d/0x330 validate_xmit_skb_list+0x4c/0x70 sch_direct_xmit+0x23e/0x350 __dev_queue_xmit+0x337/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x25e/0x580 iptunnel_xmit+0x19b/0x240 ip_tunnel_xmit+0x5fb/0xb60 ipgre_xmit+0x14d/0x280 [ip_gre] dev_hard_start_xmit+0xc3/0x1c0 __dev_queue_xmit+0x208/0xba0 ? nf_hook_slow+0x3f/0xd0 ip_finish_output2+0x1ca/0x580 ip_sublist_rcv_finish+0x32/0x40 ip_sublist_rcv+0x1b2/0x1f0 ? ip_rcv_finish_core.constprop.0+0x460/0x460 ip_list_rcv+0x103/0x130 __netif_receive_skb_list_core+0x181/0x1e0 netif_receive_skb_list_internal+0x1b3/0x2c0 napi_gro_receive+0xc8/0x200 gro_cell_poll+0x52/0x90 __napi_poll+0x25/0x1a0 net_rx_action+0x28e/0x300 __do_softirq+0xc3/0x276 ? sort_range+0x20/0x20 run_ksoftirqd+0x1e/0x30 smpboot_thread_fn+0xa6/0x130 kthread+0xcd/0x100 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x31/0x50 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK> The suggested fix is to introduce a new wrapper (skb_page_unref) that covers page refcounting for page_pool pages as well.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-26953.html
CVE-2024-26953
https://bugzilla.suse.com/1223656
SUSE Bug 1223656

Описание

In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several error-handling paths. However, *pdvbdev is not set to NULL after dvbdev's deallocation, causing use-after-frees in many places, for example, in the following call chain: budget_register |-> dvb_dmxdev_init |-> dvb_register_device |-> dvb_dmxdev_release |-> dvb_unregister_device |-> dvb_remove_device |-> dvb_device_put |-> kref_put When calling dvb_unregister_device, dmxdev->dvbdev (i.e. *pdvbdev in dvb_register_device) could point to memory that had been freed in dvb_register_device. Thereafter, this pointer is transferred to kref_put and triggering a use-after-free.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-27043.html
CVE-2024-27043
https://bugzilla.suse.com/1218562
SUSE Bug 1218562
https://bugzilla.suse.com/1223824
SUSE Bug 1223824
https://bugzilla.suse.com/1223825
SUSE Bug 1223825

Описание

In the Linux kernel, the following vulnerability has been resolved: erspan: make sure erspan_base_hdr is present in skb->head syzbot reported a problem in ip6erspan_rcv() [1] Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make sure erspan_base_hdr is present in skb linear part (skb->head) before getting @ver field from it. Add the missing pskb_may_pull() calls. v2: Reload iph pointer in erspan_rcv() after pskb_may_pull() because skb->head might have changed. [1] BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline] BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 pskb_may_pull_reason include/linux/skbuff.h:2742 [inline] pskb_may_pull include/linux/skbuff.h:2756 [inline] ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline] gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610 ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438 ip6_input_finish net/ipv6/ip6_input.c:483 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492 ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586 dst_input include/net/dst.h:460 [inline] ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:314 [inline] ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5538 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652 netif_receive_skb_internal net/core/dev.c:5738 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5798 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549 tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb63/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xe0 fs/read_write.c:652 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 Uninit was created at: slab_post_alloc_hook mm/slub.c:3804 [inline] slab_alloc_node mm/slub.c:3845 [inline] kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577 __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668 alloc_skb include/linux/skbuff.h:1318 [inline] alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504 sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795 tun_alloc_skb drivers/net/tun.c:1525 [inline] tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2108 [inline] new_sync_write fs/read_write.c:497 [inline] vfs_write+0xb63/0x1520 fs/read_write.c:590 ksys_write+0x20f/0x4c0 fs/read_write.c:643 __do_sys_write fs/read_write.c:655 [inline] __se_sys_write fs/read_write.c:652 [inline] __x64_sys_write+0x93/0xe0 fs/read_write.c:652 do_syscall_64+0xd5/0x1f0 entry_SYSCALL_64_after_hwframe+0x6d/0x75 CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35888.html
CVE-2024-35888
https://bugzilla.suse.com/1224518
SUSE Bug 1224518

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: check A-MSDU format more carefully If it looks like there's another subframe in the A-MSDU but the header isn't fully there, we can end up reading data out of bounds, only to discard later. Make this a bit more careful and check if the subframe header can even be present.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35937.html
CVE-2024-35937
https://bugzilla.suse.com/1224526
SUSE Bug 1224526

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: tlb: Fix TLBI RANGE operand KVM/arm64 relies on TLBI RANGE feature to flush TLBs when the dirty pages are collected by VMM and the page table entries become write protected during live migration. Unfortunately, the operand passed to the TLBI RANGE instruction isn't correctly sorted out due to the commit 117940aa6e5f ("KVM: arm64: Define kvm_tlb_flush_vmid_range()"). It leads to crash on the destination VM after live migration because TLBs aren't flushed completely and some of the dirty pages are missed. For example, I have a VM where 8GB memory is assigned, starting from 0x40000000 (1GB). Note that the host has 4KB as the base page size. In the middile of migration, kvm_tlb_flush_vmid_range() is executed to flush TLBs. It passes MAX_TLBI_RANGE_PAGES as the argument to __kvm_tlb_flush_vmid_range() and __flush_s2_tlb_range_op(). SCALE#3 and NUM#31, corresponding to MAX_TLBI_RANGE_PAGES, isn't supported by __TLBI_RANGE_NUM(). In this specific case, -1 has been returned from __TLBI_RANGE_NUM() for SCALE#3/2/1/0 and rejected by the loop in the __flush_tlb_range_op() until the variable @scale underflows and becomes -9, 0xffff708000040000 is set as the operand. The operand is wrong since it's sorted out by __TLBI_VADDR_RANGE() according to invalid @scale and @num. Fix it by extending __TLBI_RANGE_NUM() to support the combination of SCALE#3 and NUM#31. With the changes, [-1 31] instead of [-1 30] can be returned from the macro, meaning the TLBs for 0x200000 pages in the above example can be flushed in one shoot with SCALE#3 and NUM#31. The macro TLBI_RANGE_MASK is dropped since no one uses it any more. The comments are also adjusted accordingly.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-35980.html
CVE-2024-35980
https://bugzilla.suse.com/1224574
SUSE Bug 1224574

Описание

In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: extend minimum interval restriction to entire cycle too It is possible for syzbot to side-step the restriction imposed by the blamed commit in the Fixes: tag, because the taprio UAPI permits a cycle-time different from (and potentially shorter than) the sum of entry intervals. We need one more restriction, which is that the cycle time itself must be larger than N * ETH_ZLEN bit times, where N is the number of schedule entries. This restriction needs to apply regardless of whether the cycle time came from the user or was the implicit, auto-calculated value, so we move the existing "cycle == 0" check outside the "if "(!new->cycle_time)" branch. This way covers both conditions and scenarios. Add a selftest which illustrates the issue triggered by syzbot.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36244.html
CVE-2024-36244
https://bugzilla.suse.com/1226797
SUSE Bug 1226797

Описание

In the Linux kernel, the following vulnerability has been resolved: net: relax socket state check at accept time. Christoph reported the following splat: WARNING: CPU: 1 PID: 772 at net/ipv4/af_inet.c:761 __inet_accept+0x1f4/0x4a0 Modules linked in: CPU: 1 PID: 772 Comm: syz-executor510 Not tainted 6.9.0-rc7-g7da7119fe22b #56 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 RIP: 0010:__inet_accept+0x1f4/0x4a0 net/ipv4/af_inet.c:759 Code: 04 38 84 c0 0f 85 87 00 00 00 41 c7 04 24 03 00 00 00 48 83 c4 10 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ec b7 da fd <0f> 0b e9 7f fe ff ff e8 e0 b7 da fd 0f 0b e9 fe fe ff ff 89 d9 80 RSP: 0018:ffffc90000c2fc58 EFLAGS: 00010293 RAX: ffffffff836bdd14 RBX: 0000000000000000 RCX: ffff888104668000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: dffffc0000000000 R08: ffffffff836bdb89 R09: fffff52000185f64 R10: dffffc0000000000 R11: fffff52000185f64 R12: dffffc0000000000 R13: 1ffff92000185f98 R14: ffff88810754d880 R15: ffff8881007b7800 FS: 000000001c772880(0000) GS:ffff88811b280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb9fcf2e178 CR3: 00000001045d2002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> inet_accept+0x138/0x1d0 net/ipv4/af_inet.c:786 do_accept+0x435/0x620 net/socket.c:1929 __sys_accept4_file net/socket.c:1969 [inline] __sys_accept4+0x9b/0x110 net/socket.c:1999 __do_sys_accept net/socket.c:2016 [inline] __se_sys_accept net/socket.c:2013 [inline] __x64_sys_accept+0x7d/0x90 net/socket.c:2013 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x58/0x100 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x4315f9 Code: fd ff 48 81 c4 80 00 00 00 e9 f1 fe ff ff 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab b4 fd ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffdb26d9c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002b RAX: ffffffffffffffda RBX: 0000000000400300 RCX: 00000000004315f9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00000000006e1018 R08: 0000000000400300 R09: 0000000000400300 R10: 0000000000400300 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000040cdf0 R14: 000000000040ce80 R15: 0000000000000055 </TASK> The reproducer invokes shutdown() before entering the listener status. After commit 94062790aedb ("tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets"), the above causes the child to reach the accept syscall in FIN_WAIT1 status. Eric noted we can relax the existing assertion in __inet_accept()

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36484.html
CVE-2024-36484
https://bugzilla.suse.com/1226872
SUSE Bug 1226872

Описание

In the Linux kernel, the following vulnerability has been resolved: net: fix out-of-bounds access in ops_init net_alloc_generic is called by net_alloc, which is called without any locking. It reads max_gen_ptrs, which is changed under pernet_ops_rwsem. It is read twice, first to allocate an array, then to set s.len, which is later used to limit the bounds of the array access. It is possible that the array is allocated and another thread is registering a new pernet ops, increments max_gen_ptrs, which is then used to set s.len with a larger than allocated length for the variable array. Fix it by reading max_gen_ptrs only once in net_alloc_generic. If max_gen_ptrs is later incremented, it will be caught in net_assign_generic.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36883.html
CVE-2024-36883
https://bugzilla.suse.com/1225725
SUSE Bug 1225725

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: fix UAF in error path Sam Page (sam4k) working with Trend Micro Zero Day Initiative reported a UAF in the tipc_buf_append() error path: BUG: KASAN: slab-use-after-free in kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 Read of size 8 at addr ffff88804d2a7c80 by task poc/8034 CPU: 1 PID: 8034 Comm: poc Not tainted 6.8.2 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014 Call Trace: <IRQ> __dump_stack linux/lib/dump_stack.c:88 dump_stack_lvl+0xd9/0x1b0 linux/lib/dump_stack.c:106 print_address_description linux/mm/kasan/report.c:377 print_report+0xc4/0x620 linux/mm/kasan/report.c:488 kasan_report+0xda/0x110 linux/mm/kasan/report.c:601 kfree_skb_list_reason+0x47e/0x4c0 linux/net/core/skbuff.c:1183 skb_release_data+0x5af/0x880 linux/net/core/skbuff.c:1026 skb_release_all linux/net/core/skbuff.c:1094 __kfree_skb linux/net/core/skbuff.c:1108 kfree_skb_reason+0x12d/0x210 linux/net/core/skbuff.c:1144 kfree_skb linux/./include/linux/skbuff.h:1244 tipc_buf_append+0x425/0xb50 linux/net/tipc/msg.c:186 tipc_link_input+0x224/0x7c0 linux/net/tipc/link.c:1324 tipc_link_rcv+0x76e/0x2d70 linux/net/tipc/link.c:1824 tipc_rcv+0x45f/0x10f0 linux/net/tipc/node.c:2159 tipc_udp_recv+0x73b/0x8f0 linux/net/tipc/udp_media.c:390 udp_queue_rcv_one_skb+0xad2/0x1850 linux/net/ipv4/udp.c:2108 udp_queue_rcv_skb+0x131/0xb00 linux/net/ipv4/udp.c:2186 udp_unicast_rcv_skb+0x165/0x3b0 linux/net/ipv4/udp.c:2346 __udp4_lib_rcv+0x2594/0x3400 linux/net/ipv4/udp.c:2422 ip_protocol_deliver_rcu+0x30c/0x4e0 linux/net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2e4/0x520 linux/net/ipv4/ip_input.c:233 NF_HOOK linux/./include/linux/netfilter.h:314 NF_HOOK linux/./include/linux/netfilter.h:308 ip_local_deliver+0x18e/0x1f0 linux/net/ipv4/ip_input.c:254 dst_input linux/./include/net/dst.h:461 ip_rcv_finish linux/net/ipv4/ip_input.c:449 NF_HOOK linux/./include/linux/netfilter.h:314 NF_HOOK linux/./include/linux/netfilter.h:308 ip_rcv+0x2c5/0x5d0 linux/net/ipv4/ip_input.c:569 __netif_receive_skb_one_core+0x199/0x1e0 linux/net/core/dev.c:5534 __netif_receive_skb+0x1f/0x1c0 linux/net/core/dev.c:5648 process_backlog+0x101/0x6b0 linux/net/core/dev.c:5976 __napi_poll.constprop.0+0xba/0x550 linux/net/core/dev.c:6576 napi_poll linux/net/core/dev.c:6645 net_rx_action+0x95a/0xe90 linux/net/core/dev.c:6781 __do_softirq+0x21f/0x8e7 linux/kernel/softirq.c:553 do_softirq linux/kernel/softirq.c:454 do_softirq+0xb2/0xf0 linux/kernel/softirq.c:441 </IRQ> <TASK> __local_bh_enable_ip+0x100/0x120 linux/kernel/softirq.c:381 local_bh_enable linux/./include/linux/bottom_half.h:33 rcu_read_unlock_bh linux/./include/linux/rcupdate.h:851 __dev_queue_xmit+0x871/0x3ee0 linux/net/core/dev.c:4378 dev_queue_xmit linux/./include/linux/netdevice.h:3169 neigh_hh_output linux/./include/net/neighbour.h:526 neigh_output linux/./include/net/neighbour.h:540 ip_finish_output2+0x169f/0x2550 linux/net/ipv4/ip_output.c:235 __ip_finish_output linux/net/ipv4/ip_output.c:313 __ip_finish_output+0x49e/0x950 linux/net/ipv4/ip_output.c:295 ip_finish_output+0x31/0x310 linux/net/ipv4/ip_output.c:323 NF_HOOK_COND linux/./include/linux/netfilter.h:303 ip_output+0x13b/0x2a0 linux/net/ipv4/ip_output.c:433 dst_output linux/./include/net/dst.h:451 ip_local_out linux/net/ipv4/ip_output.c:129 ip_send_skb+0x3e5/0x560 linux/net/ipv4/ip_output.c:1492 udp_send_skb+0x73f/0x1530 linux/net/ipv4/udp.c:963 udp_sendmsg+0x1a36/0x2b40 linux/net/ipv4/udp.c:1250 inet_sendmsg+0x105/0x140 linux/net/ipv4/af_inet.c:850 sock_sendmsg_nosec linux/net/socket.c:730 __sock_sendmsg linux/net/socket.c:745 __sys_sendto+0x42c/0x4e0 linux/net/socket.c:2191 __do_sys_sendto linux/net/socket.c:2203 __se_sys_sendto linux/net/socket.c:2199 __x64_sys_sendto+0xe0/0x1c0 linux/net/socket.c:2199 do_syscall_x64 linux/arch/x86/entry/common.c:52 do_syscall_ ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36886.html
CVE-2024-36886
https://bugzilla.suse.com/1225730
SUSE Bug 1225730
https://bugzilla.suse.com/1225742
SUSE Bug 1225742

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets TCP_SYN_RECV state is really special, it is only used by cross-syn connections, mostly used by fuzzers. In the following crash [1], syzbot managed to trigger a divide by zero in tcp_rcv_space_adjust() A socket makes the following state transitions, without ever calling tcp_init_transfer(), meaning tcp_init_buffer_space() is also not called. TCP_CLOSE connect() TCP_SYN_SENT TCP_SYN_RECV shutdown() -> tcp_shutdown(sk, SEND_SHUTDOWN) TCP_FIN_WAIT1 To fix this issue, change tcp_shutdown() to not perform a TCP_SYN_RECV -> TCP_FIN_WAIT1 transition, which makes no sense anyway. When tcp_rcv_state_process() later changes socket state from TCP_SYN_RECV to TCP_ESTABLISH, then look at sk->sk_shutdown to finally enter TCP_FIN_WAIT1 state, and send a FIN packet from a sane socket state. This means tcp_send_fin() can now be called from BH context, and must use GFP_ATOMIC allocations. [1] divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 5084 Comm: syz-executor358 Not tainted 6.9.0-rc6-syzkaller-00022-g98369dccd2f8 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 RIP: 0010:tcp_rcv_space_adjust+0x2df/0x890 net/ipv4/tcp_input.c:767 Code: e3 04 4c 01 eb 48 8b 44 24 38 0f b6 04 10 84 c0 49 89 d5 0f 85 a5 03 00 00 41 8b 8e c8 09 00 00 89 e8 29 c8 48 0f af c3 31 d2 <48> f7 f1 48 8d 1c 43 49 8d 96 76 08 00 00 48 89 d0 48 c1 e8 03 48 RSP: 0018:ffffc900031ef3f0 EFLAGS: 00010246 RAX: 0c677a10441f8f42 RBX: 000000004fb95e7e RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000027d4b11f R08: ffffffff89e535a4 R09: 1ffffffff25e6ab7 R10: dffffc0000000000 R11: ffffffff8135e920 R12: ffff88802a9f8d30 R13: dffffc0000000000 R14: ffff88802a9f8d00 R15: 1ffff1100553f2da FS: 00005555775c0380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1155bf2304 CR3: 000000002b9f2000 CR4: 0000000000350ef0 Call Trace: <TASK> tcp_recvmsg_locked+0x106d/0x25a0 net/ipv4/tcp.c:2513 tcp_recvmsg+0x25d/0x920 net/ipv4/tcp.c:2578 inet6_recvmsg+0x16a/0x730 net/ipv6/af_inet6.c:680 sock_recvmsg_nosec net/socket.c:1046 [inline] sock_recvmsg+0x109/0x280 net/socket.c:1068 ____sys_recvmsg+0x1db/0x470 net/socket.c:2803 ___sys_recvmsg net/socket.c:2845 [inline] do_recvmmsg+0x474/0xae0 net/socket.c:2939 __sys_recvmmsg net/socket.c:3018 [inline] __do_sys_recvmmsg net/socket.c:3041 [inline] __se_sys_recvmmsg net/socket.c:3034 [inline] __x64_sys_recvmmsg+0x199/0x250 net/socket.c:3034 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7faeb6363db9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffcc1997168 EFLAGS: 00000246 ORIG_RAX: 000000000000012b RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007faeb6363db9 RDX: 0000000000000001 RSI: 0000000020000bc0 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000001c R10: 0000000000000122 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000001

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36905.html
CVE-2024-36905
https://bugzilla.suse.com/1225742
SUSE Bug 1225742

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr() vgic_v2_parse_attr() is responsible for finding the vCPU that matches the user-provided CPUID, which (of course) may not be valid. If the ID is invalid, kvm_get_vcpu_by_id() returns NULL, which isn't handled gracefully. Similar to the GICv3 uaccess flow, check that kvm_get_vcpu_by_id() actually returns something and fail the ioctl if not.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36953.html
CVE-2024-36953
https://bugzilla.suse.com/1225812
SUSE Bug 1225812

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: fix a possible memleak in tipc_buf_append __skb_linearize() doesn't free the skb when it fails, so move '*buf = NULL' after __skb_linearize(), so that the skb can be freed on the err path.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36954.html
CVE-2024-36954
https://bugzilla.suse.com/1225764
SUSE Bug 1225764

Описание

In the Linux kernel, the following vulnerability has been resolved: octeontx2-af: avoid off-by-one read from userspace We try to access count + 1 byte from userspace with memdup_user(buffer, count + 1). However, the userspace only provides buffer of count bytes and only these count bytes are verified to be okay to access. To ensure the copied buffer is NUL terminated, we use memdup_user_nul instead.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-36957.html
CVE-2024-36957
https://bugzilla.suse.com/1225762
SUSE Bug 1225762

Описание

In the Linux kernel, the following vulnerability has been resolved: rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow There is a possibility of buffer overflow in show_rcu_tasks_trace_gp_kthread() if counters, passed to sprintf() are huge. Counter numbers, needed for this are unrealistically high, but buffer overflow is still possible. Use snprintf() with buffer size instead of sprintf(). Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38577.html
CVE-2024-38577
https://bugzilla.suse.com/1226631
SUSE Bug 1226631

Описание

In the Linux kernel, the following vulnerability has been resolved: netrom: fix possible dead-lock in nr_rt_ioctl() syzbot loves netrom, and found a possible deadlock in nr_rt_ioctl [1] Make sure we always acquire nr_node_list_lock before nr_node_lock(nr_node) [1] WARNING: possible circular locking dependency detected 6.9.0-rc7-syzkaller-02147-g654de42f3fc6 #0 Not tainted ------------------------------------------------------ syz-executor350/5129 is trying to acquire lock: ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_node_lock include/net/netrom.h:152 [inline] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:464 [inline] ffff8880186e2070 (&nr_node->node_lock){+...}-{2:2}, at: nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 but task is already holding lock: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_rt_ioctl+0x10a/0x1090 net/netrom/nr_route.c:697 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (nr_node_list_lock){+...}-{2:2}: lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_remove_node net/netrom/nr_route.c:299 [inline] nr_del_node+0x4b4/0x820 net/netrom/nr_route.c:355 nr_rt_ioctl+0xa95/0x1090 net/netrom/nr_route.c:683 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #0 (&nr_node->node_lock){+...}-{2:2}: check_prev_add kernel/locking/lockdep.c:3134 [inline] check_prevs_add kernel/locking/lockdep.c:3253 [inline] validate_chain+0x18cb/0x58e0 kernel/locking/lockdep.c:3869 __lock_acquire+0x1346/0x1fd0 kernel/locking/lockdep.c:5137 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5754 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:126 [inline] _raw_spin_lock_bh+0x35/0x50 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] nr_node_lock include/net/netrom.h:152 [inline] nr_dec_obs net/netrom/nr_route.c:464 [inline] nr_rt_ioctl+0x1bb/0x1090 net/netrom/nr_route.c:697 sock_do_ioctl+0x158/0x460 net/socket.c:1222 sock_ioctl+0x629/0x8e0 net/socket.c:1341 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:904 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:890 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf5/0x240 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(nr_node_list_lock); lock(&nr_node->node_lock); lock(nr_node_list_lock); lock(&nr_node->node_lock); *** DEADLOCK *** 1 lock held by syz-executor350/5129: #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: spin_lock_bh include/linux/spinlock.h:356 [inline] #0: ffffffff8f7053b8 (nr_node_list_lock){+...}-{2:2}, at: nr_dec_obs net/netrom/nr_route.c:462 [inline] #0: ffffffff8f70 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38589.html
CVE-2024-38589
https://bugzilla.suse.com/1226748
SUSE Bug 1226748

Описание

In the Linux kernel, the following vulnerability has been resolved: cpufreq: exit() callback is optional The exit() callback is optional and shouldn't be called without checking a valid pointer first. Also, we must clear freq_table pointer even if the exit() callback isn't present.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-38615.html
CVE-2024-38615
https://bugzilla.suse.com/1226592
SUSE Bug 1226592

Описание

In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING Xiao reported that lvm2 test lvconvert-raid-takeover.sh can hang with small possibility, the root cause is exactly the same as commit bed9e27baf52 ("Revert "md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d"") However, Dan reported another hang after that, and junxiao investigated the problem and found out that this is caused by plugged bio can't issue from raid5d(). Current implementation in raid5d() has a weird dependence: 1) md_check_recovery() from raid5d() must hold 'reconfig_mutex' to clear MD_SB_CHANGE_PENDING; 2) raid5d() handles IO in a deadloop, until all IO are issued; 3) IO from raid5d() must wait for MD_SB_CHANGE_PENDING to be cleared; This behaviour is introduce before v2.6, and for consequence, if other context hold 'reconfig_mutex', and md_check_recovery() can't update super_block, then raid5d() will waste one cpu 100% by the deadloop, until 'reconfig_mutex' is released. Refer to the implementation from raid1 and raid10, fix this problem by skipping issue IO if MD_SB_CHANGE_PENDING is still set after md_check_recovery(), daemon thread will be woken up when 'reconfig_mutex' is released. Meanwhile, the hang problem will be fixed as well.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-39476.html
CVE-2024-39476
https://bugzilla.suse.com/1227437
SUSE Bug 1227437

Описание

In the Linux kernel, the following vulnerability has been resolved: i2c: lpi2c: Avoid calling clk_get_rate during transfer Instead of repeatedly calling clk_get_rate for each transfer, lock the clock rate and cache the value. A deadlock has been observed while adding tlv320aic32x4 audio codec to the system. When this clock provider adds its clock, the clk mutex is locked already, it needs to access i2c, which in return needs the mutex for clk_get_rate as well.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40965.html
CVE-2024-40965
https://bugzilla.suse.com/1227885
SUSE Bug 1227885

Описание

In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: fix memory leak on CPU EPP exit The cpudata memory from kzalloc() in amd_pstate_epp_cpu_init() is not freed in the analogous exit function, so fix that. [ rjw: Subject and changelog edits ]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-40997.html
CVE-2024-40997
https://bugzilla.suse.com/1227853
SUSE Bug 1227853

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: strict bound check before memcmp in ocfs2_xattr_find_entry() xattr in ocfs2 maybe 'non-indexed', which saved with additional space requested. It's better to check if the memory is out of bound before memcmp, although this possibility mainly comes from crafted poisonous images.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41016.html
CVE-2024-41016
https://bugzilla.suse.com/1228410
SUSE Bug 1228410

Описание

In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Fix task_struct reference leak During the execution of the following stress test with linux-rt: stress-ng --cyclic 30 --timeout 30 --minimize --quiet kmemleak frequently reported a memory leak concerning the task_struct: unreferenced object 0xffff8881305b8000 (size 16136): comm "stress-ng", pid 614, jiffies 4294883961 (age 286.412s) object hex dump (first 32 bytes): 02 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ debug hex dump (first 16 bytes): 53 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 S............... backtrace: [<00000000046b6790>] dup_task_struct+0x30/0x540 [<00000000c5ca0f0b>] copy_process+0x3d9/0x50e0 [<00000000ced59777>] kernel_clone+0xb0/0x770 [<00000000a50befdc>] __do_sys_clone+0xb6/0xf0 [<000000001dbf2008>] do_syscall_64+0x5d/0xf0 [<00000000552900ff>] entry_SYSCALL_64_after_hwframe+0x6e/0x76 The issue occurs in start_dl_timer(), which increments the task_struct reference count and sets a timer. The timer callback, dl_task_timer, is supposed to decrement the reference count upon expiration. However, if enqueue_task_dl() is called before the timer expires and cancels it, the reference count is not decremented, leading to the leak. This patch fixes the reference leak by ensuring the task_struct reference count is properly decremented when the timer is canceled.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41023.html
CVE-2024-41023
https://bugzilla.suse.com/1228430
SUSE Bug 1228430

Описание

In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-41049.html
CVE-2024-41049
https://bugzilla.suse.com/1228486
SUSE Bug 1228486

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: avoid overflows in dirty throttling logic The dirty throttling logic is interspersed with assumptions that dirty limits in PAGE_SIZE units fit into 32-bit (so that various multiplications fit into 64-bits). If limits end up being larger, we will hit overflows, possible divisions by 0 etc. Fix these problems by never allowing so large dirty limits as they have dubious practical value anyway. For dirty_bytes / dirty_background_bytes interfaces we can just refuse to set so large limits. For dirty_ratio / dirty_background_ratio it isn't so simple as the dirty limit is computed from the amount of available memory which can change due to memory hotplug etc. So when converting dirty limits from ratios to numbers of pages, we just don't allow the result to exceed UINT_MAX. This is root-only triggerable problem which occurs when the operator sets dirty limits to >16 TB.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42131.html
CVE-2024-42131
https://bugzilla.suse.com/1228650
SUSE Bug 1228650

Описание

In the Linux kernel, the following vulnerability has been resolved: IB/core: Implement a limit on UMAD receive List The existing behavior of ib_umad, which maintains received MAD packets in an unbounded list, poses a risk of uncontrolled growth. As user-space applications extract packets from this list, the rate of extraction may not match the rate of incoming packets, leading to potential list overflow. To address this, we introduce a limit to the size of the list. After considering typical scenarios, such as OpenSM processing, which can handle approximately 100k packets per second, and the 1-second retry timeout for most packets, we set the list size limit to 200k. Packets received beyond this limit are dropped, assuming they are likely timed out by the time they are handled by user-space. Notably, packets queued on the receive list due to reasons like timed-out sends are preserved even when the list is full.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42145.html
CVE-2024-42145
https://bugzilla.suse.com/1223384
SUSE Bug 1223384
https://bugzilla.suse.com/1228743
SUSE Bug 1228743
https://bugzilla.suse.com/1228744
SUSE Bug 1228744

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42226.html
CVE-2024-42226
https://bugzilla.suse.com/1228709
SUSE Bug 1228709

Описание

In the Linux kernel, the following vulnerability has been resolved: gpio: pca953x: fix pca953x_irq_bus_sync_unlock race Ensure that `i2c_lock' is held when setting interrupt latch and mask in pca953x_irq_bus_sync_unlock() in order to avoid races. The other (non-probe) call site pca953x_gpio_set_multiple() ensures the lock is held before calling pca953x_write_regs(). The problem occurred when a request raced against irq_bus_sync_unlock() approximately once per thousand reboots on an i.MX8MP based system. * Normal case 0-0022: write register AI|3a {03,02,00,00,01} Input latch P0 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0 0-0022: write register AI|08 {ff,00,00,00,00} Output P3 0-0022: write register AI|12 {fc,00,00,00,00} Config P3 * Race case 0-0022: write register AI|08 {ff,00,00,00,00} Output P3 0-0022: write register AI|08 {03,02,00,00,01} *** Wrong register *** 0-0022: write register AI|12 {fc,00,00,00,00} Config P3 0-0022: write register AI|49 {fc,fd,ff,ff,fe} Interrupt mask P0

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-42253.html
CVE-2024-42253
https://bugzilla.suse.com/1229005
SUSE Bug 1229005

Описание

In the Linux kernel, the following vulnerability has been resolved: net: missing check virtio Two missing check in virtio_net_hdr_to_skb() allowed syzbot to crash kernels again 1. After the skb_segment function the buffer may become non-linear (nr_frags != 0), but since the SKBTX_SHARED_FRAG flag is not set anywhere the __skb_linearize function will not be executed, then the buffer will remain non-linear. Then the condition (offset >= skb_headlen(skb)) becomes true, which causes WARN_ON_ONCE in skb_checksum_help. 2. The struct sk_buff and struct virtio_net_hdr members must be mathematically related. (gso_size) must be greater than (needed) otherwise WARN_ON_ONCE. (remainder) must be greater than (needed) otherwise WARN_ON_ONCE. (remainder) may be 0 if division is without remainder. offset+2 (4191) > skb_headlen() (1116) WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303 Modules linked in: CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skb_checksum_help+0x5e2/0x740 net/core/dev.c:3303 Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209 RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001 RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d FS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ip_do_fragment+0xa1b/0x18b0 net/ipv4/ip_output.c:777 ip_fragment.constprop.0+0x161/0x230 net/ipv4/ip_output.c:584 ip_finish_output_gso net/ipv4/ip_output.c:286 [inline] __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x49c/0x650 net/ipv4/ip_output.c:295 ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip_output+0x13b/0x2a0 net/ipv4/ip_output.c:433 dst_output include/net/dst.h:451 [inline] ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:129 iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82 ipip6_tunnel_xmit net/ipv6/sit.c:1034 [inline] sit_tunnel_xmit+0xed2/0x28f0 net/ipv6/sit.c:1076 __netdev_start_xmit include/linux/netdevice.h:4940 [inline] netdev_start_xmit include/linux/netdevice.h:4954 [inline] xmit_one net/core/dev.c:3545 [inline] dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3561 __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4346 dev_queue_xmit include/linux/netdevice.h:3134 [inline] packet_xmit+0x257/0x380 net/packet/af_packet.c:276 packet_snd net/packet/af_packet.c:3087 [inline] packet_sendmsg+0x24ca/0x5240 net/packet/af_packet.c:3119 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 __sys_sendto+0x255/0x340 net/socket.c:2190 __do_sys_sendto net/socket.c:2202 [inline] __se_sys_sendto net/socket.c:2198 [inline] __x64_sys_sendto+0xe0/0x1b0 net/socket.c:2198 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Found by Linux Verification Center (linuxtesting.org) with Syzkaller

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-43817.html
CVE-2024-43817
https://bugzilla.suse.com/1229312
SUSE Bug 1229312

Описание

In the Linux kernel, the following vulnerability has been resolved: net: drop bad gso csum_start and offset in virtio_net_hdr Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Mitigate with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-43897.html
CVE-2024-43897
https://bugzilla.suse.com/1229752
SUSE Bug 1229752

Описание

In the Linux kernel, the following vulnerability has been resolved: gpio: prevent potential speculation leaks in gpio_device_get_desc() Userspace may trigger a speculative read of an address outside the gpio descriptor array. Users can do that by calling gpio_ioctl() with an offset out of range. Offset is copied from user and then used as an array index to get the gpio descriptor without sanitization in gpio_device_get_desc(). This change ensures that the offset is sanitized by using array_index_nospec() to mitigate any possibility of speculative information leaks. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-44931.html
CVE-2024-44931
https://bugzilla.suse.com/1229837
SUSE Bug 1229837

Описание

In the Linux kernel, the following vulnerability has been resolved: idpf: fix UAFs when destroying the queues The second tagged commit started sometimes (very rarely, but possible) throwing WARNs from net/core/page_pool.c:page_pool_disable_direct_recycling(). Turned out idpf frees interrupt vectors with embedded NAPIs *before* freeing the queues making page_pools' NAPI pointers lead to freed memory before these pools are destroyed by libeth. It's not clear whether there are other accesses to the freed vectors when destroying the queues, but anyway, we usually free queue/interrupt vectors only when the queues are destroyed and the NAPIs are guaranteed to not be referenced anywhere. Invert the allocation and freeing logic making queue/interrupt vectors be allocated first and freed last. Vectors don't require queues to be present, so this is safe. Additionally, this change allows to remove that useless queue->q_vector pointer cleanup, as vectors are still valid when freeing the queues (+ both are freed within one function, so it's not clear why nullify the pointers at all).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-44932.html
CVE-2024-44932
https://bugzilla.suse.com/1229808
SUSE Bug 1229808

Описание

In the Linux kernel, the following vulnerability has been resolved: fuse: Initialize beyond-EOF page contents before setting uptodate fuse_notify_store(), unlike fuse_do_readpage(), does not enable page zeroing (because it can be used to change partial page contents). So fuse_notify_store() must be more careful to fully initialize page contents (including parts of the page that are beyond end-of-file) before marking the page uptodate. The current code can leave beyond-EOF page contents uninitialized, which makes these uninitialized page contents visible to userspace via mmap(). This is an information leak, but only affects systems which do not enable init-on-alloc (via CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y or the corresponding kernel command line parameter).

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-44947.html
CVE-2024-44947
https://bugzilla.suse.com/1229456
SUSE Bug 1229456
https://bugzilla.suse.com/1230098
SUSE Bug 1230098

Описание

In the Linux kernel, the following vulnerability has been resolved: sched/smt: Fix unbalance sched_smt_present dec/inc I got the following warn report while doing stress test: jump label: negative count! WARNING: CPU: 3 PID: 38 at kernel/jump_label.c:263 static_key_slow_try_dec+0x9d/0xb0 Call Trace: <TASK> __static_key_slow_dec_cpuslocked+0x16/0x70 sched_cpu_deactivate+0x26e/0x2a0 cpuhp_invoke_callback+0x3ad/0x10d0 cpuhp_thread_fun+0x3f5/0x680 smpboot_thread_fn+0x56d/0x8d0 kthread+0x309/0x400 ret_from_fork+0x41/0x70 ret_from_fork_asm+0x1b/0x30 </TASK> Because when cpuset_cpu_inactive() fails in sched_cpu_deactivate(), the cpu offline failed, but sched_smt_present is decremented before calling sched_cpu_deactivate(), it leads to unbalanced dec/inc, so fix it by incrementing sched_smt_present in the error path.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-44958.html
CVE-2024-44958
https://bugzilla.suse.com/1230179
SUSE Bug 1230179

Описание

In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leaks and crashes while performing a soft reset The second tagged commit introduced a UAF, as it removed restoring q_vector->vport pointers after reinitializating the structures. This is due to that all queue allocation functions are performed here with the new temporary vport structure and those functions rewrite the backpointers to the vport. Then, this new struct is freed and the pointers start leading to nowhere. But generally speaking, the current logic is very fragile. It claims to be more reliable when the system is low on memory, but in fact, it consumes two times more memory as at the moment of running this function, there are two vports allocated with their queues and vectors. Moreover, it claims to prevent the driver from running into "bad state", but in fact, any error during the rebuild leaves the old vport in the partially allocated state. Finally, if the interface is down when the function is called, it always allocates a new queue set, but when the user decides to enable the interface later on, vport_open() allocates them once again, IOW there's a clear memory leak here. Just don't allocate a new queue set when performing a reset, that solves crashes and memory leaks. Readd the old queue number and reopen the interface on rollback - that solves limbo states when the device is left disabled and/or without HW queues enabled.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-44964.html
CVE-2024-44964
https://bugzilla.suse.com/1230220
SUSE Bug 1230220

Описание

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix a deadlock problem when config TC during resetting When config TC during the reset process, may cause a deadlock, the flow is as below: pf reset start | ▼ ...... setup tc | | ▼ ▼ DOWN: napi_disable() napi_disable()(skip) | | | ▼ ▼ ...... ...... | | ▼ | napi_enable() | ▼ UINIT: netif_napi_del() | ▼ ...... | ▼ INIT: netif_napi_add() | ▼ ...... global reset start | | ▼ ▼ UP: napi_enable()(skip) ...... | | ▼ ▼ ...... napi_disable() In reset process, the driver will DOWN the port and then UINIT, in this case, the setup tc process will UP the port before UINIT, so cause the problem. Adds a DOWN process in UINIT to fix it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-44995.html
CVE-2024-44995
https://bugzilla.suse.com/1230231
SUSE Bug 1230231

Описание

In the Linux kernel, the following vulnerability has been resolved: netem: fix return value if duplicate enqueue fails There is a bug in netem_enqueue() introduced by commit 5845f706388a ("net: netem: fix skb length BUG_ON in __skb_to_sgvec") that can lead to a use-after-free. This commit made netem_enqueue() always return NET_XMIT_SUCCESS when a packet is duplicated, which can cause the parent qdisc's q.qlen to be mistakenly incremented. When this happens qlen_notify() may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for the bug happen: - If the duplicated packet is dropped by rootq->enqueue() and then the original packet is also dropped. - If rootq->enqueue() sends the duplicated packet to a different qdisc and the original packet is dropped. In both cases NET_XMIT_SUCCESS is returned even though no packets are enqueued at the netem qdisc. The fix is to defer the enqueue of the duplicate packet until after the original packet has been guaranteed to return NET_XMIT_SUCCESS.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-45016.html
CVE-2024-45016
https://bugzilla.suse.com/1230429
SUSE Bug 1230429
https://bugzilla.suse.com/1230998
SUSE Bug 1230998

Описание

In the Linux kernel, the following vulnerability has been resolved: fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE copy_fd_bitmaps(new, old, count) is expected to copy the first count/BITS_PER_LONG bits from old->full_fds_bits[] and fill the rest with zeroes. What it does is copying enough words (BITS_TO_LONGS(count/BITS_PER_LONG)), then memsets the rest. That works fine, *if* all bits past the cutoff point are clear. Otherwise we are risking garbage from the last word we'd copied. For most of the callers that is true - expand_fdtable() has count equal to old->max_fds, so there's no open descriptors past count, let alone fully occupied words in ->open_fds[], which is what bits in ->full_fds_bits[] correspond to. The other caller (dup_fd()) passes sane_fdtable_size(old_fdt, max_fds), which is the smallest multiple of BITS_PER_LONG that covers all opened descriptors below max_fds. In the common case (copying on fork()) max_fds is ~0U, so all opened descriptors will be below it and we are fine, by the same reasons why the call in expand_fdtable() is safe. Unfortunately, there is a case where max_fds is less than that and where we might, indeed, end up with junk in ->full_fds_bits[] - close_range(from, to, CLOSE_RANGE_UNSHARE) with * descriptor table being currently shared * 'to' being above the current capacity of descriptor table * 'from' being just under some chunk of opened descriptors. In that case we end up with observably wrong behaviour - e.g. spawn a child with CLONE_FILES, get all descriptors in range 0..127 open, then close_range(64, ~0U, CLOSE_RANGE_UNSHARE) and watch dup(0) ending up with descriptor #128, despite #64 being observably not open. The minimally invasive fix would be to deal with that in dup_fd(). If this proves to add measurable overhead, we can go that way, but let's try to fix copy_fd_bitmaps() first. * new helper: bitmap_copy_and_expand(to, from, bits_to_copy, size). * make copy_fd_bitmaps() take the bitmap size in words, rather than bits; it's 'count' argument is always a multiple of BITS_PER_LONG, so we are not losing any information, and that way we can use the same helper for all three bitmaps - compiler will see that count is a multiple of BITS_PER_LONG for the large ones, so it'll generate plain memcpy()+memset(). Reproducer added to tools/testing/selftests/core/close_range_test.c

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-45025.html
CVE-2024-45025
https://bugzilla.suse.com/1230456
SUSE Bug 1230456

Описание

In the Linux kernel, the following vulnerability has been resolved: bonding: change ipsec_lock from spin lock to mutex In the cited commit, bond->ipsec_lock is added to protect ipsec_list, hence xdo_dev_state_add and xdo_dev_state_delete are called inside this lock. As ipsec_lock is a spin lock and such xfrmdev ops may sleep, "scheduling while atomic" will be triggered when changing bond's active slave. [ 101.055189] BUG: scheduling while atomic: bash/902/0x00000200 [ 101.055726] Modules linked in: [ 101.058211] CPU: 3 PID: 902 Comm: bash Not tainted 6.9.0-rc4+ #1 [ 101.058760] Hardware name: [ 101.059434] Call Trace: [ 101.059436] <TASK> [ 101.060873] dump_stack_lvl+0x51/0x60 [ 101.061275] __schedule_bug+0x4e/0x60 [ 101.061682] __schedule+0x612/0x7c0 [ 101.062078] ? __mod_timer+0x25c/0x370 [ 101.062486] schedule+0x25/0xd0 [ 101.062845] schedule_timeout+0x77/0xf0 [ 101.063265] ? asm_common_interrupt+0x22/0x40 [ 101.063724] ? __bpf_trace_itimer_state+0x10/0x10 [ 101.064215] __wait_for_common+0x87/0x190 [ 101.064648] ? usleep_range_state+0x90/0x90 [ 101.065091] cmd_exec+0x437/0xb20 [mlx5_core] [ 101.065569] mlx5_cmd_do+0x1e/0x40 [mlx5_core] [ 101.066051] mlx5_cmd_exec+0x18/0x30 [mlx5_core] [ 101.066552] mlx5_crypto_create_dek_key+0xea/0x120 [mlx5_core] [ 101.067163] ? bonding_sysfs_store_option+0x4d/0x80 [bonding] [ 101.067738] ? kmalloc_trace+0x4d/0x350 [ 101.068156] mlx5_ipsec_create_sa_ctx+0x33/0x100 [mlx5_core] [ 101.068747] mlx5e_xfrm_add_state+0x47b/0xaa0 [mlx5_core] [ 101.069312] bond_change_active_slave+0x392/0x900 [bonding] [ 101.069868] bond_option_active_slave_set+0x1c2/0x240 [bonding] [ 101.070454] __bond_opt_set+0xa6/0x430 [bonding] [ 101.070935] __bond_opt_set_notify+0x2f/0x90 [bonding] [ 101.071453] bond_opt_tryset_rtnl+0x72/0xb0 [bonding] [ 101.071965] bonding_sysfs_store_option+0x4d/0x80 [bonding] [ 101.072567] kernfs_fop_write_iter+0x10c/0x1a0 [ 101.073033] vfs_write+0x2d8/0x400 [ 101.073416] ? alloc_fd+0x48/0x180 [ 101.073798] ksys_write+0x5f/0xe0 [ 101.074175] do_syscall_64+0x52/0x110 [ 101.074576] entry_SYSCALL_64_after_hwframe+0x4b/0x53 As bond_ipsec_add_sa_all and bond_ipsec_del_sa_all are only called from bond_change_active_slave, which requires holding the RTNL lock. And bond_ipsec_add_sa and bond_ipsec_del_sa are xfrm state xdo_dev_state_add and xdo_dev_state_delete APIs, which are in user context. So ipsec_lock doesn't have to be spin lock, change it to mutex, and thus the above issue can be resolved.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46678.html
CVE-2024-46678
https://bugzilla.suse.com/1230550
SUSE Bug 1230550

Описание

In the Linux kernel, the following vulnerability has been resolved: pktgen: use cpus_read_lock() in pg_net_init() I have seen the WARN_ON(smp_processor_id() != cpu) firing in pktgen_thread_worker() during tests. We must use cpus_read_lock()/cpus_read_unlock() around the for_each_online_cpu(cpu) loop. While we are at it use WARN_ON_ONCE() to avoid a possible syslog flood.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46681.html
CVE-2024-46681
https://bugzilla.suse.com/1230558
SUSE Bug 1230558

Описание

In the Linux kernel, the following vulnerability has been resolved: dmaengine: altera-msgdma: properly free descriptor in msgdma_free_descriptor Remove list_del call in msgdma_chan_desc_cleanup, this should be the role of msgdma_free_descriptor. In consequence replace list_add_tail with list_move_tail in msgdma_free_descriptor. This fixes the path: msgdma_free_chan_resources -> msgdma_free_descriptors -> msgdma_free_desc_list -> msgdma_free_descriptor which does not correctly free the descriptors as first nodes were not removed from the list.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46716.html
CVE-2024-46716
https://bugzilla.suse.com/1230715
SUSE Bug 1230715

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Fix null pointer dereference in trace ucsi_register_altmode checks IS_ERR for the alt pointer and treats NULL as valid. When CONFIG_TYPEC_DP_ALTMODE is not enabled, ucsi_register_displayport returns NULL which causes a NULL pointer dereference in trace. Rather than return NULL, call typec_port_register_altmode to register DisplayPort alternate mode as a non-controllable mode when CONFIG_TYPEC_DP_ALTMODE is not enabled.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46719.html
CVE-2024-46719
https://bugzilla.suse.com/1230722
SUSE Bug 1230722

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Remove tst_run from lwt_seg6local_prog_ops. The syzbot reported that the lwt_seg6 related BPF ops can be invoked via bpf_test_run() without without entering input_action_end_bpf() first. Martin KaFai Lau said that self test for BPF_PROG_TYPE_LWT_SEG6LOCAL probably didn't work since it was introduced in commit 04d4b274e2a ("ipv6: sr: Add seg6local action End.BPF"). The reason is that the per-CPU variable seg6_bpf_srh_states::srh is never assigned in the self test case but each BPF function expects it. Remove test_run for BPF_PROG_TYPE_LWT_SEG6LOCAL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46754.html
CVE-2024-46754
https://bugzilla.suse.com/1230801
SUSE Bug 1230801

Описание

In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: # echo 1 > /sys/class/net/<interface>/device/reset when reset is in progress try to get coalesce settings using ethtool: # ethtool -c <interface> BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: <TASK> ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46770.html
CVE-2024-46770
https://bugzilla.suse.com/1230763
SUSE Bug 1230763

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Validate function returns [WHAT & HOW] Function return values must be checked before data can be used in subsequent functions. This fixes 4 CHECKED_RETURN issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46775.html
CVE-2024-46775
https://bugzilla.suse.com/1230774
SUSE Bug 1230774

Описание

In the Linux kernel, the following vulnerability has been resolved: udf: Avoid excessive partition lengths Avoid mounting filesystems where the partition would overflow the 32-bits used for block number. Also refuse to mount filesystems where the partition length is so large we cannot safely index bits in a block bitmap.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46777.html
CVE-2024-46777
https://bugzilla.suse.com/1230773
SUSE Bug 1230773

Описание

In the Linux kernel, the following vulnerability has been resolved: sch/netem: fix use after free in netem_dequeue If netem_dequeue() enqueues packet to inner qdisc and that qdisc returns __NET_XMIT_STOLEN. The packet is dropped but qdisc_tree_reduce_backlog() is not called to update the parent's q.qlen, leading to the similar use-after-free as Commit e04991a48dbaf382 ("netem: fix return value if duplicate enqueue fails") Commands to trigger KASAN UaF: ip link add type dummy ip link set lo up ip link set dummy0 up tc qdisc add dev lo parent root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2: handle 3: drr tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0 tc class add dev lo classid 3:1 drr ping -c1 -W0.01 localhost # Trigger bug tc class del dev lo classid 1:1 tc class add dev lo classid 1:1 drr ping -c1 -W0.01 localhost # UaF

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46800.html
CVE-2024-46800
https://bugzilla.suse.com/1230827
SUSE Bug 1230827

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: added NULL check at start of dc_validate_stream [Why] prevent invalid memory access [How] check if dc and stream are NULL

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46802.html
CVE-2024-46802
https://bugzilla.suse.com/1231111
SUSE Bug 1231111

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add array index check for hdcp ddc access [Why] Coverity reports OVERRUN warning. Do not check if array index valid. [How] Check msg_id valid and valid array index.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46804.html
CVE-2024-46804
https://bugzilla.suse.com/1231132
SUSE Bug 1231132

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix the waring dereferencing hive Check the amdgpu_hive_info *hive that maybe is NULL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46805.html
CVE-2024-46805
https://bugzilla.suse.com/1231135
SUSE Bug 1231135

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/amdgpu: Check tbo resource pointer Validate tbo resource pointer, skip if NULL

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46807.html
CVE-2024-46807
https://bugzilla.suse.com/1231138
SUSE Bug 1231138

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check BIOS images before it is used BIOS images may fail to load and null checks are added before they are used. This fixes 6 NULL_RETURNS issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46809.html
CVE-2024-46809
https://bugzilla.suse.com/1231148
SUSE Bug 1231148

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/bridge: tc358767: Check if fully initialized before signalling HPD event via IRQ Make sure the connector is fully initialized before signalling any HPD events via drm_kms_helper_hotplug_event(), otherwise this may lead to NULL pointer dereference.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46810.html
CVE-2024-46810
https://bugzilla.suse.com/1231178
SUSE Bug 1231178

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index may exceed array range within fpu_update_bw_bounding_box [Why] Coverity reports OVERRUN warning. soc.num_states could be 40. But array range of bw_params->clk_table.entries is 8. [How] Assert if soc.num_states greater than 8.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46811.html
CVE-2024-46811
https://bugzilla.suse.com/1231179
SUSE Bug 1231179

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip inactive planes within ModeSupportAndSystemConfiguration [Why] Coverity reports Memory - illegal accesses. [How] Skip inactive planes.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46812.html
CVE-2024-46812
https://bugzilla.suse.com/1231187
SUSE Bug 1231187

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check link_index before accessing dc->links[] [WHY & HOW] dc->links[] has max size of MAX_LINKS and NULL is return when trying to access with out-of-bound index. This fixes 3 OVERRUN and 1 RESOURCE_LEAK issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46813.html
CVE-2024-46813
https://bugzilla.suse.com/1231191
SUSE Bug 1231191
https://bugzilla.suse.com/1231192
SUSE Bug 1231192

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check msg_id before processing transcation [WHY & HOW] HDCP_MESSAGE_ID_INVALID (-1) is not a valid msg_id nor is it a valid array index, and it needs checking before used. This fixes 4 OVERRUN issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46814.html
CVE-2024-46814
https://bugzilla.suse.com/1231193
SUSE Bug 1231193
https://bugzilla.suse.com/1231194
SUSE Bug 1231194

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check num_valid_sets before accessing reader_wm_sets[] [WHY & HOW] num_valid_sets needs to be checked to avoid a negative index when accessing reader_wm_sets[num_valid_sets - 1]. This fixes an OVERRUN issue reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46815.html
CVE-2024-46815
https://bugzilla.suse.com/1231195
SUSE Bug 1231195
https://bugzilla.suse.com/1231196
SUSE Bug 1231196

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Stop amdgpu_dm initialize when link nums greater than max_links [Why] Coverity report OVERRUN warning. There are only max_links elements within dc->links. link count could up to AMDGPU_DM_MAX_DISPLAY_INDEX 31. [How] Make sure link count less than max_links.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46816.html
CVE-2024-46816
https://bugzilla.suse.com/1231197
SUSE Bug 1231197
https://bugzilla.suse.com/1231198
SUSE Bug 1231198

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Stop amdgpu_dm initialize when stream nums greater than 6 [Why] Coverity reports OVERRUN warning. Should abort amdgpu_dm initialize. [How] Return failure to amdgpu_dm_init.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46817.html
CVE-2024-46817
https://bugzilla.suse.com/1231200
SUSE Bug 1231200
https://bugzilla.suse.com/1231201
SUSE Bug 1231201

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check gpio_id before used as array index [WHY & HOW] GPIO_ID_UNKNOWN (-1) is not a valid value for array index and therefore should be checked in advance. This fixes 5 OVERRUN issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46818.html
CVE-2024-46818
https://bugzilla.suse.com/1231203
SUSE Bug 1231203
https://bugzilla.suse.com/1231204
SUSE Bug 1231204

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: the warning dereferencing obj for nbio_v7_4 if ras_manager obj null, don't print NBIO err data

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46819.html
CVE-2024-46819
https://bugzilla.suse.com/1231202
SUSE Bug 1231202

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Fix negative array index read Avoid using the negative values for clk_idex as an index into an array pptable->DpmDescriptor. V2: fix clk_index return check (Tim Huang)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46821.html
CVE-2024-46821
https://bugzilla.suse.com/1231169
SUSE Bug 1231169

Описание

In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses "randomize_va_space" twice. It is sysctl and can change at any moment, so 2 loads could see 2 different values in theory with unpredictable consequences. Issue exactly one load for consistent value across one exec.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46826.html
CVE-2024-46826
https://bugzilla.suse.com/1231115
SUSE Bug 1231115

Описание

In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host, when running in dst/src host fairness mode, which is used as the round-robin weight when iterating through flows. The count of active bulk flows is updated whenever a flow changes state. This has a peculiar interaction with the hash collision handling: when a hash collision occurs (after the set-associative hashing), the state of the hash bucket is simply updated to match the new packet that collided, and if host fairness is enabled, that also means assigning new per-host state to the flow. For this reason, the bulk flow counters of the host(s) assigned to the flow are decremented, before new state is assigned (and the counters, which may not belong to the same host anymore, are incremented again). Back when this code was introduced, the host fairness mode was always enabled, so the decrement was unconditional. When the configuration flags were introduced the *increment* was made conditional, but the *decrement* was not. Which of course can lead to a spurious decrement (and associated wrap-around to U16_MAX). AFAICT, when host fairness is disabled, the decrement and wrap-around happens as soon as a hash collision occurs (which is not that common in itself, due to the set-associative hashing). However, in most cases this is harmless, as the value is only used when host fairness mode is enabled. So in order to trigger an array overflow, sch_cake has to first be configured with host fairness disabled, and while running in this mode, a hash collision has to occur to cause the overflow. Then, the qdisc has to be reconfigured to enable host fairness, which leads to the array out-of-bounds because the wrapped-around value is retained and used as an array index. It seems that syzbot managed to trigger this, which is quite impressive in its own right. This patch fixes the issue by introducing the same conditional check on decrement as is used on increment. The original bug predates the upstreaming of cake, but the commit listed in the Fixes tag touched that code, meaning that this patch won't apply before that.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46828.html
CVE-2024-46828
https://bugzilla.suse.com/1231114
SUSE Bug 1231114

Описание

In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 ("bnxt: fix crashes when reducing ring count with active RSS contexts") proves that allowing indirection table to contain channels with out of bounds IDs may lead to crashes. Currently the max channel check in the core gets skipped if driver can't fetch the indirection table or when we can't allocate memory. Both of those conditions should be extremely rare but if they do happen we should try to be safe and fail the channel change.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46834.html
CVE-2024-46834
https://bugzilla.suse.com/1231096
SUSE Bug 1231096

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46835.html
CVE-2024-46835
https://bugzilla.suse.com/1231098
SUSE Bug 1231098

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46840.html
CVE-2024-46840
https://bugzilla.suse.com/1231105
SUSE Bug 1231105

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() We handle errors here properly, ENOMEM isn't fatal, return the error.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46841.html
CVE-2024-46841
https://bugzilla.suse.com/1231094
SUSE Bug 1231094

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and the routine unconditionally frees submitted mailbox commands regardless of return status. The issue is that for MBX_TIMEOUT cases, when firmware returns SFP information at a later time, that same mailbox memory region references previously freed memory in its cmpl routine. Fix by adding checks for the MBX_TIMEOUT return code. During mailbox resource cleanup, check the mbox flag to make sure that the wait did not timeout. If the MBOX_WAKE flag is not set, then do not free the resources because it will be freed when firmware completes the mailbox at a later time in its cmpl routine. Also, increase the timeout from 30 to 60 seconds to accommodate boot scripts requiring longer timeouts.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46842.html
CVE-2024-46842
https://bugzilla.suse.com/1231101
SUSE Bug 1231101

Описание

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the following warnings. perfevents: irq loop stuck! WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174 intel_pmu_handle_irq+0x285/0x370 Call Trace: <NMI> ? __warn+0xa4/0x220 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? __report_bug+0x123/0x130 ? intel_pmu_handle_irq+0x285/0x370 ? report_bug+0x3e/0xa0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x50 ? asm_exc_invalid_op+0x1a/0x20 ? irq_work_claim+0x1e/0x40 ? intel_pmu_handle_irq+0x285/0x370 perf_event_nmi_handler+0x3d/0x60 nmi_handle+0x104/0x330 Thanks to Thomas Gleixner's analysis, the issue is caused by the low initial period (1) of the frequency estimation algorithm, which triggers the defects of the HW, specifically erratum HSW11 and HSW143. (For the details, please refer https://lore.kernel.org/lkml/87plq9l5d2.ffs@tglx/) The HSW11 requires a period larger than 100 for the INST_RETIRED.ALL event, but the initial period in the freq mode is 1. The erratum is the same as the BDM11, which has been supported in the kernel. A minimum period of 128 is enforced as well on HSW. HSW143 is regarding that the fixed counter 1 may overcount 32 with the Hyper-Threading is enabled. However, based on the test, the hardware has more issues than it tells. Besides the fixed counter 1, the message 'interrupt took too long' can be observed on any counter which was armed with a period < 32 and two events expired in the same NMI. A minimum period of 32 is enforced for the rest of the events. The recommended workaround code of the HSW143 is not implemented. Because it only addresses the issue for the fixed counter. It brings extra overhead through extra MSR writing. No related overcounting issue has been reported so far.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46848.html
CVE-2024-46848
https://bugzilla.suse.com/1231072
SUSE Bug 1231072

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: meson: axg-card: fix 'use-after-free' Buffer 'card->dai_link' is reallocated in 'meson_card_reallocate_links()', so move 'pad' pointer initialization after this function when memory is already reallocated. Kasan bug report: ================================================================== BUG: KASAN: slab-use-after-free in axg_card_add_link+0x76c/0x9bc Read of size 8 at addr ffff000000e8b260 by task modprobe/356 CPU: 0 PID: 356 Comm: modprobe Tainted: G O 6.9.12-sdkernel #1 Call trace: dump_backtrace+0x94/0xec show_stack+0x18/0x24 dump_stack_lvl+0x78/0x90 print_report+0xfc/0x5c0 kasan_report+0xb8/0xfc __asan_load8+0x9c/0xb8 axg_card_add_link+0x76c/0x9bc [snd_soc_meson_axg_sound_card] meson_card_probe+0x344/0x3b8 [snd_soc_meson_card_utils] platform_probe+0x8c/0xf4 really_probe+0x110/0x39c __driver_probe_device+0xb8/0x18c driver_probe_device+0x108/0x1d8 __driver_attach+0xd0/0x25c bus_for_each_dev+0xe0/0x154 driver_attach+0x34/0x44 bus_add_driver+0x134/0x294 driver_register+0xa8/0x1e8 __platform_driver_register+0x44/0x54 axg_card_pdrv_init+0x20/0x1000 [snd_soc_meson_axg_sound_card] do_one_initcall+0xdc/0x25c do_init_module+0x10c/0x334 load_module+0x24c4/0x26cc init_module_from_file+0xd4/0x128 __arm64_sys_finit_module+0x1f4/0x41c invoke_syscall+0x60/0x188 el0_svc_common.constprop.0+0x78/0x13c do_el0_svc+0x30/0x40 el0_svc+0x38/0x78 el0t_64_sync_handler+0x100/0x12c el0t_64_sync+0x190/0x194

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46849.html
CVE-2024-46849
https://bugzilla.suse.com/1231073
SUSE Bug 1231073
https://bugzilla.suse.com/1231256
SUSE Bug 1231256

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: nxp-fspi: fix the KASAN report out-of-bounds bug Change the memcpy length to fix the out-of-bounds issue when writing the data that is not 4 byte aligned to TX FIFO. To reproduce the issue, write 3 bytes data to NOR chip. dd if=3b of=/dev/mtd0 [ 36.926103] ================================================================== [ 36.933409] BUG: KASAN: slab-out-of-bounds in nxp_fspi_exec_op+0x26ec/0x2838 [ 36.940514] Read of size 4 at addr ffff00081037c2a0 by task dd/455 [ 36.946721] [ 36.948235] CPU: 3 UID: 0 PID: 455 Comm: dd Not tainted 6.11.0-rc5-gc7b0e37c8434 #1070 [ 36.956185] Hardware name: Freescale i.MX8QM MEK (DT) [ 36.961260] Call trace: [ 36.963723] dump_backtrace+0x90/0xe8 [ 36.967414] show_stack+0x18/0x24 [ 36.970749] dump_stack_lvl+0x78/0x90 [ 36.974451] print_report+0x114/0x5cc [ 36.978151] kasan_report+0xa4/0xf0 [ 36.981670] __asan_report_load_n_noabort+0x1c/0x28 [ 36.986587] nxp_fspi_exec_op+0x26ec/0x2838 [ 36.990800] spi_mem_exec_op+0x8ec/0xd30 [ 36.994762] spi_mem_no_dirmap_read+0x190/0x1e0 [ 36.999323] spi_mem_dirmap_write+0x238/0x32c [ 37.003710] spi_nor_write_data+0x220/0x374 [ 37.007932] spi_nor_write+0x110/0x2e8 [ 37.011711] mtd_write_oob_std+0x154/0x1f0 [ 37.015838] mtd_write_oob+0x104/0x1d0 [ 37.019617] mtd_write+0xb8/0x12c [ 37.022953] mtdchar_write+0x224/0x47c [ 37.026732] vfs_write+0x1e4/0x8c8 [ 37.030163] ksys_write+0xec/0x1d0 [ 37.033586] __arm64_sys_write+0x6c/0x9c [ 37.037539] invoke_syscall+0x6c/0x258 [ 37.041327] el0_svc_common.constprop.0+0x160/0x22c [ 37.046244] do_el0_svc+0x44/0x5c [ 37.049589] el0_svc+0x38/0x78 [ 37.052681] el0t_64_sync_handler+0x13c/0x158 [ 37.057077] el0t_64_sync+0x190/0x194 [ 37.060775] [ 37.062274] Allocated by task 455: [ 37.065701] kasan_save_stack+0x2c/0x54 [ 37.069570] kasan_save_track+0x20/0x3c [ 37.073438] kasan_save_alloc_info+0x40/0x54 [ 37.077736] __kasan_kmalloc+0xa0/0xb8 [ 37.081515] __kmalloc_noprof+0x158/0x2f8 [ 37.085563] mtd_kmalloc_up_to+0x120/0x154 [ 37.089690] mtdchar_write+0x130/0x47c [ 37.093469] vfs_write+0x1e4/0x8c8 [ 37.096901] ksys_write+0xec/0x1d0 [ 37.100332] __arm64_sys_write+0x6c/0x9c [ 37.104287] invoke_syscall+0x6c/0x258 [ 37.108064] el0_svc_common.constprop.0+0x160/0x22c [ 37.112972] do_el0_svc+0x44/0x5c [ 37.116319] el0_svc+0x38/0x78 [ 37.119401] el0t_64_sync_handler+0x13c/0x158 [ 37.123788] el0t_64_sync+0x190/0x194 [ 37.127474] [ 37.128977] The buggy address belongs to the object at ffff00081037c2a0 [ 37.128977] which belongs to the cache kmalloc-8 of size 8 [ 37.141177] The buggy address is located 0 bytes inside of [ 37.141177] allocated 3-byte region [ffff00081037c2a0, ffff00081037c2a3) [ 37.153465] [ 37.154971] The buggy address belongs to the physical page: [ 37.160559] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x89037c [ 37.168596] flags: 0xbfffe0000000000(node=0|zone=2|lastcpupid=0x1ffff) [ 37.175149] page_type: 0xfdffffff(slab) [ 37.179021] raw: 0bfffe0000000000 ffff000800002500 dead000000000122 0000000000000000 [ 37.186788] raw: 0000000000000000 0000000080800080 00000001fdffffff 0000000000000000 [ 37.194553] page dumped because: kasan: bad access detected [ 37.200144] [ 37.201647] Memory state around the buggy address: [ 37.206460] ffff00081037c180: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc [ 37.213701] ffff00081037c200: fa fc fc fc 05 fc fc fc 03 fc fc fc 02 fc fc fc [ 37.220946] >ffff00081037c280: 06 fc fc fc 03 fc fc fc fc fc fc fc fc fc fc fc [ 37.228186] ^ [ 37.232473] ffff00081037c300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.239718] ffff00081037c380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.246962] ============================================================== ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46853.html
CVE-2024-46853
https://bugzilla.suse.com/1231083
SUSE Bug 1231083

Описание

In the Linux kernel, the following vulnerability has been resolved: net: dpaa: Pad packets to ETH_ZLEN When sending packets under 60 bytes, up to three bytes of the buffer following the data may be leaked. Avoid this by extending all packets to ETH_ZLEN, ensuring nothing is leaked in the padding. This bug can be reproduced by running $ ping -s 11 destination

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46854.html
CVE-2024-46854
https://bugzilla.suse.com/1231084
SUSE Bug 1231084

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_socket: fix sk refcount leaks We must put 'sk' reference before returning.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46855.html
CVE-2024-46855
https://bugzilla.suse.com/1231085
SUSE Bug 1231085

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix bridge mode operations when there are no VFs Currently, trying to set the bridge mode attribute when numvfs=0 leads to a crash: bridge link set dev eth2 hwmode vepa [ 168.967392] BUG: kernel NULL pointer dereference, address: 0000000000000030 [...] [ 168.969989] RIP: 0010:mlx5_add_flow_rules+0x1f/0x300 [mlx5_core] [...] [ 168.976037] Call Trace: [ 168.976188] <TASK> [ 168.978620] _mlx5_eswitch_set_vepa_locked+0x113/0x230 [mlx5_core] [ 168.979074] mlx5_eswitch_set_vepa+0x7f/0xa0 [mlx5_core] [ 168.979471] rtnl_bridge_setlink+0xe9/0x1f0 [ 168.979714] rtnetlink_rcv_msg+0x159/0x400 [ 168.980451] netlink_rcv_skb+0x54/0x100 [ 168.980675] netlink_unicast+0x241/0x360 [ 168.980918] netlink_sendmsg+0x1f6/0x430 [ 168.981162] ____sys_sendmsg+0x3bb/0x3f0 [ 168.982155] ___sys_sendmsg+0x88/0xd0 [ 168.985036] __sys_sendmsg+0x59/0xa0 [ 168.985477] do_syscall_64+0x79/0x150 [ 168.987273] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 168.987773] RIP: 0033:0x7f8f7950f917 (esw->fdb_table.legacy.vepa_fdb is null) The bridge mode is only relevant when there are multiple functions per port. Therefore, prevent setting and getting this setting when there are no VFs. Note that after this change, there are no settings to change on the PF interface using `bridge link` when there are no VFs, so the interface no longer appears in the `bridge link` output.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46857.html
CVE-2024-46857
https://bugzilla.suse.com/1231087
SUSE Bug 1231087

Описание

In the Linux kernel, the following vulnerability has been resolved: platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses The panasonic laptop code in various places uses the SINF array with index values of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF array is big enough. Not all panasonic laptops have this many SINF array entries, for example the Toughbook CF-18 model only has 10 SINF array entries. So it only supports the AC+DC brightness entries and mute. Check that the SINF array has a minimum size which covers all AC+DC brightness entries and refuse to load if the SINF array is smaller. For higher SINF indexes hide the sysfs attributes when the SINF array does not contain an entry for that attribute, avoiding show()/store() accessing the array out of bounds and add bounds checking to the probe() and resume() code accessing these.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46859.html
CVE-2024-46859
https://bugzilla.suse.com/1231089
SUSE Bug 1231089

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: fix kexec crash due to VP assist page corruption commit 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling when CPUs go online/offline") introduces a new cpuhp state for hyperv initialization. cpuhp_setup_state() returns the state number if state is CPUHP_AP_ONLINE_DYN or CPUHP_BP_PREPARE_DYN and 0 for all other states. For the hyperv case, since a new cpuhp state was introduced it would return 0. However, in hv_machine_shutdown(), the cpuhp_remove_state() call is conditioned upon "hyperv_init_cpuhp > 0". This will never be true and so hv_cpu_die() won't be called on all CPUs. This means the VP assist page won't be reset. When the kexec kernel tries to setup the VP assist page again, the hypervisor corrupts the memory region of the old VP assist page causing a panic in case the kexec kernel is using that memory elsewhere. This was originally fixed in commit dfe94d4086e4 ("x86/hyperv: Fix kexec panic/hang issues"). Get rid of hyperv_init_cpuhp entirely since we are no longer using a dynamic cpuhp state and use CPUHP_AP_HYPERV_ONLINE directly with cpuhp_remove_state().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46864.html
CVE-2024-46864
https://bugzilla.suse.com/1231108
SUSE Bug 1231108

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Correct the defined value for AMDGPU_DMUB_NOTIFICATION_MAX [Why & How] It actually exposes '6' types in enum dmub_notification_type. Not 5. Using smaller number to create array dmub_callback & dmub_thread_offload has potential to access item out of array bound. Fix it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-46871.html
CVE-2024-46871
https://bugzilla.suse.com/1231434
SUSE Bug 1231434

Описание

In the Linux kernel, the following vulnerability has been resolved: fsnotify: clear PARENT_WATCHED flags lazily In some setups directories can have many (usually negative) dentries. Hence __fsnotify_update_child_dentry_flags() function can take a significant amount of time. Since the bulk of this function happens under inode->i_lock this causes a significant contention on the lock when we remove the watch from the directory as the __fsnotify_update_child_dentry_flags() call from fsnotify_recalc_mask() races with __fsnotify_update_child_dentry_flags() calls from __fsnotify_parent() happening on children. This can lead upto softlockup reports reported by users. Fix the problem by calling fsnotify_update_children_dentry_flags() to set PARENT_WATCHED flags only when parent starts watching children. When parent stops watching children, clear false positive PARENT_WATCHED flags lazily in __fsnotify_parent() for each accessed child.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47660.html
CVE-2024-47660
https://bugzilla.suse.com/1231439
SUSE Bug 1231439

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid overflow from uint32_t to uint8_t [WHAT & HOW] dmub_rb_cmd's ramping_boundary has size of uint8_t and it is assigned 0xFFFF. Fix it by changing it to uint8_t with value of 0xFF. This fixes 2 INTEGER_OVERFLOW issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47661.html
CVE-2024-47661
https://bugzilla.suse.com/1231496
SUSE Bug 1231496

Описание

In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9834: Validate frequency parameter value In ad9834_write_frequency() clk_get_rate() can return 0. In such case ad9834_calc_freqreg() call will lead to division by zero. Checking 'if (fout > (clk_freq / 2))' doesn't protect in case of 'fout' is 0. ad9834_write_frequency() is called from ad9834_write(), where fout is taken from text buffer, which can contain any value. Modify parameters checking. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47663.html
CVE-2024-47663
https://bugzilla.suse.com/1231441
SUSE Bug 1231441

Описание

In the Linux kernel, the following vulnerability has been resolved: spi: hisi-kunpeng: Add verification for the max_frequency provided by the firmware If the value of max_speed_hz is 0, it may cause a division by zero error in hisi_calc_effective_speed(). The value of max_speed_hz is provided by firmware. Firmware is generally considered as a trusted domain. However, as division by zero errors can cause system failure, for defense measure, the value of max_speed is validated here. So 0 is regarded as invalid and an error code is returned.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47664.html
CVE-2024-47664
https://bugzilla.suse.com/1231442
SUSE Bug 1231442

Описание

In the Linux kernel, the following vulnerability has been resolved: i3c: mipi-i3c-hci: Error out instead on BUG_ON() in IBI DMA setup Definitely condition dma_get_cache_alignment * defined value > 256 during driver initialization is not reason to BUG_ON(). Turn that to graceful error out with -EINVAL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47665.html
CVE-2024-47665
https://bugzilla.suse.com/1231452
SUSE Bug 1231452

Описание

In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Add workaround for Errata #i2037 (AM65x SR 1.0) Errata #i2037 in AM65x/DRA80xM Processors Silicon Revision 1.0 (SPRZ452D_July 2018_Revised December 2019 [1]) mentions when an inbound PCIe TLP spans more than two internal AXI 128-byte bursts, the bus may corrupt the packet payload and the corrupt data may cause associated applications or the processor to hang. The workaround for Errata #i2037 is to limit the maximum read request size and maximum payload size to 128 bytes. Add workaround for Errata #i2037 here. The errata and workaround is applicable only to AM65x SR 1.0 and later versions of the silicon will have this fixed. [1] -> https://www.ti.com/lit/er/sprz452i/sprz452i.pdf

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47667.html
CVE-2024-47667
https://bugzilla.suse.com/1231481
SUSE Bug 1231481

Описание

In the Linux kernel, the following vulnerability has been resolved: lib/generic-radix-tree.c: Fix rare race in __genradix_ptr_alloc() If we need to increase the tree depth, allocate a new node, and then race with another thread that increased the tree depth before us, we'll still have a preallocated node that might be used later. If we then use that node for a new non-root node, it'll still have a pointer to the old root instead of being zeroed - fix this by zeroing it in the cmpxchg failure path.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47668.html
CVE-2024-47668
https://bugzilla.suse.com/1231502
SUSE Bug 1231502

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix state management in error path of log writing function After commit a694291a6211 ("nilfs2: separate wait function from nilfs_segctor_write") was applied, the log writing function nilfs_segctor_do_construct() was able to issue I/O requests continuously even if user data blocks were split into multiple logs across segments, but two potential flaws were introduced in its error handling. First, if nilfs_segctor_begin_construction() fails while creating the second or subsequent logs, the log writing function returns without calling nilfs_segctor_abort_construction(), so the writeback flag set on pages/folios will remain uncleared. This causes page cache operations to hang waiting for the writeback flag. For example, truncate_inode_pages_final(), which is called via nilfs_evict_inode() when an inode is evicted from memory, will hang. Second, the NILFS_I_COLLECTED flag set on normal inodes remain uncleared. As a result, if the next log write involves checkpoint creation, that's fine, but if a partial log write is performed that does not, inodes with NILFS_I_COLLECTED set are erroneously removed from the "sc_dirty_files" list, and their data and b-tree blocks may not be written to the device, corrupting the block mapping. Fix these issues by uniformly calling nilfs_segctor_abort_construction() on failure of each step in the loop in nilfs_segctor_do_construct(), having it clean up logs and segment usages according to progress, and correcting the conditions for calling nilfs_redirty_inodes() to ensure that the NILFS_I_COLLECTED flag is cleared.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47669.html
CVE-2024-47669
https://bugzilla.suse.com/1231474
SUSE Bug 1231474

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: add bounds checking to ocfs2_xattr_find_entry() Add a paranoia check to make sure it doesn't stray beyond valid memory region containing ocfs2 xattr entries when scanning for a match. It will prevent out-of-bound access in case of crafted images.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47670.html
CVE-2024-47670
https://bugzilla.suse.com/1231537
SUSE Bug 1231537

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: usbtmc: prevent kernel-usb-infoleak The syzbot reported a kernel-usb-infoleak in usbtmc_write, we need to clear the structure before filling fields.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47671.html
CVE-2024-47671
https://bugzilla.suse.com/1231541
SUSE Bug 1231541

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: don't wait for tx queues if firmware is dead There is a WARNING in iwl_trans_wait_tx_queues_empty() (that was recently converted from just a message), that can be hit if we wait for TX queues to become empty after firmware died. Clearly, we can't expect anything from the firmware after it's declared dead. Don't call iwl_trans_wait_tx_queues_empty() in this case. While it could be a good idea to stop the flow earlier, the flush functions do some maintenance work that is not related to the firmware, so keep that part of the code running even when the firmware is not running. [edit commit message]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47672.html
CVE-2024-47672
https://bugzilla.suse.com/1231540
SUSE Bug 1231540

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: pause TCM when the firmware is stopped Not doing so will make us send a host command to the transport while the firmware is not alive, which will trigger a WARNING. bad state = 0 WARNING: CPU: 2 PID: 17434 at drivers/net/wireless/intel/iwlwifi/iwl-trans.c:115 iwl_trans_send_cmd+0x1cb/0x1e0 [iwlwifi] RIP: 0010:iwl_trans_send_cmd+0x1cb/0x1e0 [iwlwifi] Call Trace: <TASK> iwl_mvm_send_cmd+0x40/0xc0 [iwlmvm] iwl_mvm_config_scan+0x198/0x260 [iwlmvm] iwl_mvm_recalc_tcm+0x730/0x11d0 [iwlmvm] iwl_mvm_tcm_work+0x1d/0x30 [iwlmvm] process_one_work+0x29e/0x640 worker_thread+0x2df/0x690 ? rescuer_thread+0x540/0x540 kthread+0x192/0x1e0 ? set_kthread_struct+0x90/0x90 ret_from_fork+0x22/0x30

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47673.html
CVE-2024-47673
https://bugzilla.suse.com/1231539
SUSE Bug 1231539

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: avoid leaving partial pfn mappings around in error case As Jann points out, PFN mappings are special, because unlike normal memory mappings, there is no lifetime information associated with the mapping - it is just a raw mapping of PFNs with no reference counting of a 'struct page'. That's all very much intentional, but it does mean that it's easy to mess up the cleanup in case of errors. Yes, a failed mmap() will always eventually clean up any partial mappings, but without any explicit lifetime in the page table mapping itself, it's very easy to do the error handling in the wrong order. In particular, it's easy to mistakenly free the physical backing store before the page tables are actually cleaned up and (temporarily) have stale dangling PTE entries. To make this situation less error-prone, just make sure that any partial pfn mapping is torn down early, before any other error handling.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47674.html
CVE-2024-47674
https://bugzilla.suse.com/1231673
SUSE Bug 1231673
https://bugzilla.suse.com/1231676
SUSE Bug 1231676

Описание

In the Linux kernel, the following vulnerability has been resolved: vfs: fix race between evice_inodes() and find_inode()&iput() Hi, all Recently I noticed a bug[1] in btrfs, after digged it into and I believe it'a race in vfs. Let's assume there's a inode (ie ino 261) with i_count 1 is called by iput(), and there's a concurrent thread calling generic_shutdown_super(). cpu0: cpu1: iput() // i_count is 1 ->spin_lock(inode) ->dec i_count to 0 ->iput_final() generic_shutdown_super() ->__inode_add_lru() ->evict_inodes() // cause some reason[2] ->if (atomic_read(inode->i_count)) continue; // return before // inode 261 passed the above check // list_lru_add_obj() // and then schedule out ->spin_unlock() // note here: the inode 261 // was still at sb list and hash list, // and I_FREEING|I_WILL_FREE was not been set btrfs_iget() // after some function calls ->find_inode() // found the above inode 261 ->spin_lock(inode) // check I_FREEING|I_WILL_FREE // and passed ->__iget() ->spin_unlock(inode) // schedule back ->spin_lock(inode) // check (I_NEW|I_FREEING|I_WILL_FREE) flags, // passed and set I_FREEING iput() ->spin_unlock(inode) ->spin_lock(inode) ->evict() // dec i_count to 0 ->iput_final() ->spin_unlock() ->evict() Now, we have two threads simultaneously evicting the same inode, which may trigger the BUG(inode->i_state & I_CLEAR) statement both within clear_inode() and iput(). To fix the bug, recheck the inode->i_count after holding i_lock. Because in the most scenarios, the first check is valid, and the overhead of spin_lock() can be reduced. If there is any misunderstanding, please let me know, thanks. [1]: https://lore.kernel.org/linux-btrfs/000000000000eabe1d0619c48986@google.com/ [2]: The reason might be 1. SB_ACTIVE was removed or 2. mapping_shrinkable() return false when I reproduced the bug.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47679.html
CVE-2024-47679
https://bugzilla.suse.com/1231930
SUSE Bug 1231930

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: sd: Fix off-by-one error in sd_read_block_characteristics() Ff the device returns page 0xb1 with length 8 (happens with qemu v2.x, for example), sd_read_block_characteristics() may attempt an out-of-bounds memory access when accessing the zoned field at offset 8.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47682.html
CVE-2024-47682
https://bugzilla.suse.com/1231856
SUSE Bug 1231856

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp: check skb is non-NULL in tcp_rto_delta_us() We have some machines running stock Ubuntu 20.04.6 which is their 5.4.0-174-generic kernel that are running ceph and recently hit a null ptr dereference in tcp_rearm_rto(). Initially hitting it from the TLP path, but then later we also saw it getting hit from the RACK case as well. Here are examples of the oops messages we saw in each of those cases: Jul 26 15:05:02 rx [11061395.780353] BUG: kernel NULL pointer dereference, address: 0000000000000020 Jul 26 15:05:02 rx [11061395.787572] #PF: supervisor read access in kernel mode Jul 26 15:05:02 rx [11061395.792971] #PF: error_code(0x0000) - not-present page Jul 26 15:05:02 rx [11061395.798362] PGD 0 P4D 0 Jul 26 15:05:02 rx [11061395.801164] Oops: 0000 [#1] SMP NOPTI Jul 26 15:05:02 rx [11061395.805091] CPU: 0 PID: 9180 Comm: msgr-worker-1 Tainted: G W 5.4.0-174-generic #193-Ubuntu Jul 26 15:05:02 rx [11061395.814996] Hardware name: Supermicro SMC 2x26 os-gen8 64C NVME-Y 256G/H12SSW-NTR, BIOS 2.5.V1.2U.NVMe.UEFI 05/09/2023 Jul 26 15:05:02 rx [11061395.825952] RIP: 0010:tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.830656] Code: 87 ca 04 00 00 00 5b 41 5c 41 5d 5d c3 c3 49 8b bc 24 40 06 00 00 eb 8d 48 bb cf f7 53 e3 a5 9b c4 20 4c 89 ef e8 0c fe 0e 00 <48> 8b 78 20 48 c1 ef 03 48 89 f8 41 8b bc 24 80 04 00 00 48 f7 e3 Jul 26 15:05:02 rx [11061395.849665] RSP: 0018:ffffb75d40003e08 EFLAGS: 00010246 Jul 26 15:05:02 rx [11061395.855149] RAX: 0000000000000000 RBX: 20c49ba5e353f7cf RCX: 0000000000000000 Jul 26 15:05:02 rx [11061395.862542] RDX: 0000000062177c30 RSI: 000000000000231c RDI: ffff9874ad283a60 Jul 26 15:05:02 rx [11061395.869933] RBP: ffffb75d40003e20 R08: 0000000000000000 R09: ffff987605e20aa8 Jul 26 15:05:02 rx [11061395.877318] R10: ffffb75d40003f00 R11: ffffb75d4460f740 R12: ffff9874ad283900 Jul 26 15:05:02 rx [11061395.884710] R13: ffff9874ad283a60 R14: ffff9874ad283980 R15: ffff9874ad283d30 Jul 26 15:05:02 rx [11061395.892095] FS: 00007f1ef4a2e700(0000) GS:ffff987605e00000(0000) knlGS:0000000000000000 Jul 26 15:05:02 rx [11061395.900438] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Jul 26 15:05:02 rx [11061395.906435] CR2: 0000000000000020 CR3: 0000003e450ba003 CR4: 0000000000760ef0 Jul 26 15:05:02 rx [11061395.913822] PKRU: 55555554 Jul 26 15:05:02 rx [11061395.916786] Call Trace: Jul 26 15:05:02 rx [11061395.919488] Jul 26 15:05:02 rx [11061395.921765] ? show_regs.cold+0x1a/0x1f Jul 26 15:05:02 rx [11061395.925859] ? __die+0x90/0xd9 Jul 26 15:05:02 rx [11061395.929169] ? no_context+0x196/0x380 Jul 26 15:05:02 rx [11061395.933088] ? ip6_protocol_deliver_rcu+0x4e0/0x4e0 Jul 26 15:05:02 rx [11061395.938216] ? ip6_sublist_rcv_finish+0x3d/0x50 Jul 26 15:05:02 rx [11061395.943000] ? __bad_area_nosemaphore+0x50/0x1a0 Jul 26 15:05:02 rx [11061395.947873] ? bad_area_nosemaphore+0x16/0x20 Jul 26 15:05:02 rx [11061395.952486] ? do_user_addr_fault+0x267/0x450 Jul 26 15:05:02 rx [11061395.957104] ? ipv6_list_rcv+0x112/0x140 Jul 26 15:05:02 rx [11061395.961279] ? __do_page_fault+0x58/0x90 Jul 26 15:05:02 rx [11061395.965458] ? do_page_fault+0x2c/0xe0 Jul 26 15:05:02 rx [11061395.969465] ? page_fault+0x34/0x40 Jul 26 15:05:02 rx [11061395.973217] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.977313] ? tcp_rearm_rto+0xe4/0x160 Jul 26 15:05:02 rx [11061395.981408] tcp_send_loss_probe+0x10b/0x220 Jul 26 15:05:02 rx [11061395.985937] tcp_write_timer_handler+0x1b4/0x240 Jul 26 15:05:02 rx [11061395.990809] tcp_write_timer+0x9e/0xe0 Jul 26 15:05:02 rx [11061395.994814] ? tcp_write_timer_handler+0x240/0x240 Jul 26 15:05:02 rx [11061395.999866] call_timer_fn+0x32/0x130 Jul 26 15:05:02 rx [11061396.003782] __run_timers.part.0+0x180/0x280 Jul 26 15:05:02 rx [11061396.008309] ? recalibrate_cpu_khz+0x10/0x10 Jul 26 15:05:02 rx [11061396.012841] ? native_x2apic_icr_write+0x30/0x30 Jul 26 15:05:02 rx [11061396.017718] ? lapic_next_even ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47684.html
CVE-2024-47684
https://bugzilla.suse.com/1231987
SUSE Bug 1231987
https://bugzilla.suse.com/1231993
SUSE Bug 1231993

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject_ipv6: fix nf_reject_ip6_tcphdr_put() syzbot reported that nf_reject_ip6_tcphdr_put() was possibly sending garbage on the four reserved tcp bits (th->res1) Use skb_put_zero() to clear the whole TCP header, as done in nf_reject_ip_tcphdr_put() BUG: KMSAN: uninit-value in nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_reject_ip6_tcphdr_put+0x688/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:255 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core net/core/dev.c:5661 [inline] __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5775 process_backlog+0x4ad/0xa50 net/core/dev.c:6108 __napi_poll+0xe7/0x980 net/core/dev.c:6772 napi_poll net/core/dev.c:6841 [inline] net_rx_action+0xa5a/0x19b0 net/core/dev.c:6963 handle_softirqs+0x1ce/0x800 kernel/softirq.c:554 __do_softirq+0x14/0x1a kernel/softirq.c:588 do_softirq+0x9a/0x100 kernel/softirq.c:455 __local_bh_enable_ip+0x9f/0xb0 kernel/softirq.c:382 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:908 [inline] __dev_queue_xmit+0x2692/0x5610 net/core/dev.c:4450 dev_queue_xmit include/linux/netdevice.h:3105 [inline] neigh_resolve_output+0x9ca/0xae0 net/core/neighbour.c:1565 neigh_output include/net/neighbour.h:542 [inline] ip6_finish_output2+0x2347/0x2ba0 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0xbb8/0x14b0 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x356/0x620 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] ip6_xmit+0x1ba6/0x25d0 net/ipv6/ip6_output.c:366 inet6_csk_xmit+0x442/0x530 net/ipv6/inet6_connection_sock.c:135 __tcp_transmit_skb+0x3b07/0x4880 net/ipv4/tcp_output.c:1466 tcp_transmit_skb net/ipv4/tcp_output.c:1484 [inline] tcp_connect+0x35b6/0x7130 net/ipv4/tcp_output.c:4143 tcp_v6_connect+0x1bcc/0x1e40 net/ipv6/tcp_ipv6.c:333 __inet_stream_connect+0x2ef/0x1730 net/ipv4/af_inet.c:679 inet_stream_connect+0x6a/0xd0 net/ipv4/af_inet.c:750 __sys_connect_file net/socket.c:2061 [inline] __sys_connect+0x606/0x690 net/socket.c:2078 __do_sys_connect net/socket.c:2088 [inline] __se_sys_connect net/socket.c:2085 [inline] __x64_sys_connect+0x91/0xe0 net/socket.c:2085 x64_sys_call+0x27a5/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:43 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was stored to memory at: nf_reject_ip6_tcphdr_put+0x60c/0x6c0 net/ipv6/netfilter/nf_reject_ipv6.c:249 nf_send_reset6+0xd84/0x15b0 net/ipv6/netfilter/nf_reject_ipv6.c:344 nft_reject_inet_eval+0x3c1/0x880 net/netfilter/nft_reject_inet.c:48 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x438/0x22a0 net/netfilter/nf_tables_core.c:288 nft_do_chain_inet+0x41a/0x4f0 net/netfilter/nft_chain_filter.c:161 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook include/linux/netfilter.h:269 [inline] NF_HOOK include/linux/netfilter.h:312 [inline] ipv6_rcv+0x29b/0x390 net/ipv6/ip6_input.c:310 __netif_receive_skb_one_core ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47685.html
CVE-2024-47685
https://bugzilla.suse.com/1231998
SUSE Bug 1231998

Описание

In the Linux kernel, the following vulnerability has been resolved: nfsd: return -EINVAL when namelen is 0 When we have a corrupted main.sqlite in /var/lib/nfs/nfsdcld/, it may result in namelen being 0, which will cause memdup_user() to return ZERO_SIZE_PTR. When we access the name.data that has been assigned the value of ZERO_SIZE_PTR in nfs4_client_to_reclaim(), null pointer dereference is triggered. [ T1205] ================================================================== [ T1205] BUG: KASAN: null-ptr-deref in nfs4_client_to_reclaim+0xe9/0x260 [ T1205] Read of size 1 at addr 0000000000000010 by task nfsdcld/1205 [ T1205] [ T1205] CPU: 11 PID: 1205 Comm: nfsdcld Not tainted 5.10.0-00003-g2c1423731b8d #406 [ T1205] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014 [ T1205] Call Trace: [ T1205] dump_stack+0x9a/0xd0 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] __kasan_report.cold+0x34/0x84 [ T1205] ? nfs4_client_to_reclaim+0xe9/0x260 [ T1205] kasan_report+0x3a/0x50 [ T1205] nfs4_client_to_reclaim+0xe9/0x260 [ T1205] ? nfsd4_release_lockowner+0x410/0x410 [ T1205] cld_pipe_downcall+0x5ca/0x760 [ T1205] ? nfsd4_cld_tracking_exit+0x1d0/0x1d0 [ T1205] ? down_write_killable_nested+0x170/0x170 [ T1205] ? avc_policy_seqno+0x28/0x40 [ T1205] ? selinux_file_permission+0x1b4/0x1e0 [ T1205] rpc_pipe_write+0x84/0xb0 [ T1205] vfs_write+0x143/0x520 [ T1205] ksys_write+0xc9/0x170 [ T1205] ? __ia32_sys_read+0x50/0x50 [ T1205] ? ktime_get_coarse_real_ts64+0xfe/0x110 [ T1205] ? ktime_get_coarse_real_ts64+0xa2/0x110 [ T1205] do_syscall_64+0x33/0x40 [ T1205] entry_SYSCALL_64_after_hwframe+0x67/0xd1 [ T1205] RIP: 0033:0x7fdbdb761bc7 [ T1205] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 514 [ T1205] RSP: 002b:00007fff8c4b7248 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ T1205] RAX: ffffffffffffffda RBX: 000000000000042b RCX: 00007fdbdb761bc7 [ T1205] RDX: 000000000000042b RSI: 00007fff8c4b75f0 RDI: 0000000000000008 [ T1205] RBP: 00007fdbdb761bb0 R08: 0000000000000000 R09: 0000000000000001 [ T1205] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000042b [ T1205] R13: 0000000000000008 R14: 00007fff8c4b75f0 R15: 0000000000000000 [ T1205] ================================================================== Fix it by checking namelen.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47692.html
CVE-2024-47692
https://bugzilla.suse.com/1231857
SUSE Bug 1231857

Описание

In the Linux kernel, the following vulnerability has been resolved: IB/core: Fix ib_cache_setup_one error flow cleanup When ib_cache_update return an error, we exit ib_cache_setup_one instantly with no proper cleanup, even though before this we had already successfully done gid_table_setup_one, that results in the kernel WARN below. Do proper cleanup using gid_table_cleanup_one before returning the err in order to fix the issue. WARNING: CPU: 4 PID: 922 at drivers/infiniband/core/cache.c:806 gid_table_release_one+0x181/0x1a0 Modules linked in: CPU: 4 UID: 0 PID: 922 Comm: c_repro Not tainted 6.11.0-rc1+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:gid_table_release_one+0x181/0x1a0 Code: 44 8b 38 75 0c e8 2f cb 34 ff 4d 8b b5 28 05 00 00 e8 23 cb 34 ff 44 89 f9 89 da 4c 89 f6 48 c7 c7 d0 58 14 83 e8 4f de 21 ff <0f> 0b 4c 8b 75 30 e9 54 ff ff ff 48 8 3 c4 10 5b 5d 41 5c 41 5d 41 RSP: 0018:ffffc90002b835b0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff811c8527 RDX: 0000000000000000 RSI: ffffffff811c8534 RDI: 0000000000000001 RBP: ffff8881011b3d00 R08: ffff88810b3abe00 R09: 205d303839303631 R10: 666572207972746e R11: 72746e6520444947 R12: 0000000000000001 R13: ffff888106390000 R14: ffff8881011f2110 R15: 0000000000000001 FS: 00007fecc3b70800(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000340 CR3: 000000010435a001 CR4: 00000000003706b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? show_regs+0x94/0xa0 ? __warn+0x9e/0x1c0 ? gid_table_release_one+0x181/0x1a0 ? report_bug+0x1f9/0x340 ? gid_table_release_one+0x181/0x1a0 ? handle_bug+0xa2/0x110 ? exc_invalid_op+0x31/0xa0 ? asm_exc_invalid_op+0x16/0x20 ? __warn_printk+0xc7/0x180 ? __warn_printk+0xd4/0x180 ? gid_table_release_one+0x181/0x1a0 ib_device_release+0x71/0xe0 ? __pfx_ib_device_release+0x10/0x10 device_release+0x44/0xd0 kobject_put+0x135/0x3d0 put_device+0x20/0x30 rxe_net_add+0x7d/0xa0 rxe_newlink+0xd7/0x190 nldev_newlink+0x1b0/0x2a0 ? __pfx_nldev_newlink+0x10/0x10 rdma_nl_rcv_msg+0x1ad/0x2e0 rdma_nl_rcv_skb.constprop.0+0x176/0x210 netlink_unicast+0x2de/0x400 netlink_sendmsg+0x306/0x660 __sock_sendmsg+0x110/0x120 ____sys_sendmsg+0x30e/0x390 ___sys_sendmsg+0x9b/0xf0 ? kstrtouint+0x6e/0xa0 ? kstrtouint_from_user+0x7c/0xb0 ? get_pid_task+0xb0/0xd0 ? proc_fail_nth_write+0x5b/0x140 ? __fget_light+0x9a/0x200 ? preempt_count_add+0x47/0xa0 __sys_sendmsg+0x61/0xd0 do_syscall_64+0x50/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47693.html
CVE-2024-47693
https://bugzilla.suse.com/1232013
SUSE Bug 1232013

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-clt: Reset cid to con_num - 1 to stay in bounds In the function init_conns(), after the create_con() and create_cm() for loop if something fails. In the cleanup for loop after the destroy tag, we access out of bound memory because cid is set to clt_path->s.con_num. This commits resets the cid to clt_path->s.con_num - 1, to stay in bounds in the cleanup loop later.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47695.html
CVE-2024-47695
https://bugzilla.suse.com/1231931
SUSE Bug 1231931

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs"), the function flush_workqueue is invoked to flush the work queue iwcm_wq. But at that time, the work queue iwcm_wq was created via the function alloc_ordered_workqueue without the flag WQ_MEM_RECLAIM. Because the current process is trying to flush the whole iwcm_wq, if iwcm_wq doesn't have the flag WQ_MEM_RECLAIM, verify that the current process is not reclaiming memory or running on a workqueue which doesn't have the flag WQ_MEM_RECLAIM as that can break forward-progress guarantee leading to a deadlock. The call trace is as below: [ 125.350876][ T1430] Call Trace: [ 125.356281][ T1430] <TASK> [ 125.361285][ T1430] ? __warn (kernel/panic.c:693) [ 125.367640][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.375689][ T1430] ? report_bug (lib/bug.c:180 lib/bug.c:219) [ 125.382505][ T1430] ? handle_bug (arch/x86/kernel/traps.c:239) [ 125.388987][ T1430] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) [ 125.395831][ T1430] ? asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:621) [ 125.403125][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.410984][ T1430] ? check_flush_dependency (kernel/workqueue.c:3706 (discriminator 9)) [ 125.418764][ T1430] __flush_workqueue (kernel/workqueue.c:3970) [ 125.426021][ T1430] ? __pfx___might_resched (kernel/sched/core.c:10151) [ 125.433431][ T1430] ? destroy_cm_id (drivers/infiniband/core/iwcm.c:375) iw_cm [ 125.441209][ T1430] ? __pfx___flush_workqueue (kernel/workqueue.c:3910) [ 125.473900][ T1430] ? _raw_spin_lock_irqsave (arch/x86/include/asm/atomic.h:107 include/linux/atomic/atomic-arch-fallback.h:2170 include/linux/atomic/atomic-instrumented.h:1302 include/asm-generic/qspinlock.h:111 include/linux/spinlock.h:187 include/linux/spinlock_api_smp.h:111 kernel/locking/spinlock.c:162) [ 125.473909][ T1430] ? __pfx__raw_spin_lock_irqsave (kernel/locking/spinlock.c:161) [ 125.482537][ T1430] _destroy_id (drivers/infiniband/core/cma.c:2044) rdma_cm [ 125.495072][ T1430] nvme_rdma_free_queue (drivers/nvme/host/rdma.c:656 drivers/nvme/host/rdma.c:650) nvme_rdma [ 125.505827][ T1430] nvme_rdma_reset_ctrl_work (drivers/nvme/host/rdma.c:2180) nvme_rdma [ 125.505831][ T1430] process_one_work (kernel/workqueue.c:3231) [ 125.515122][ T1430] worker_thread (kernel/workqueue.c:3306 kernel/workqueue.c:3393) [ 125.515127][ T1430] ? __pfx_worker_thread (kernel/workqueue.c:3339) [ 125.531837][ T1430] kthread (kernel/kthread.c:389) [ 125.539864][ T1430] ? __pfx_kthread (kernel/kthread.c:342) [ 125.550628][ T1430] ret_from_fork (arch/x86/kernel/process.c:147) [ 125.558840][ T1430] ? __pfx_kthread (kernel/kthread.c:342) [ 125.558844][ T1430] ret_from_fork_asm (arch/x86/entry/entry_64.S:257) [ 125.566487][ T1430] </TASK> [ 125.566488][ T1430] ---[ end trace 0000000000000000 ]---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47696.html
CVE-2024-47696
https://bugzilla.suse.com/1231864
SUSE Bug 1231864

Описание

In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2830: fix an out-of-bounds write error Ensure index in rtl2830_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47697.html
CVE-2024-47697
https://bugzilla.suse.com/1231858
SUSE Bug 1231858

Описание

In the Linux kernel, the following vulnerability has been resolved: drivers: media: dvb-frontends/rtl2832: fix an out-of-bounds write error Ensure index in rtl2832_pid_filter does not exceed 31 to prevent out-of-bounds access. dev->filters is a 32-bit value, so set_bit and clear_bit functions should only operate on indices from 0 to 31. If index is 32, it will attempt to access a non-existent 33rd bit, leading to out-of-bounds access. Change the boundary check from index > 32 to index >= 32 to resolve this issue. [hverkuil: added fixes tag, rtl2830_pid_filter -> rtl2832_pid_filter in logmsg]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47698.html
CVE-2024-47698
https://bugzilla.suse.com/1231859
SUSE Bug 1231859

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential null-ptr-deref in nilfs_btree_insert() Patch series "nilfs2: fix potential issues with empty b-tree nodes". This series addresses three potential issues with empty b-tree nodes that can occur with corrupted filesystem images, including one recently discovered by syzbot. This patch (of 3): If a b-tree is broken on the device, and the b-tree height is greater than 2 (the level of the root node is greater than 1) even if the number of child nodes of the b-tree root is 0, a NULL pointer dereference occurs in nilfs_btree_prepare_insert(), which is called from nilfs_btree_insert(). This is because, when the number of child nodes of the b-tree root is 0, nilfs_btree_do_lookup() does not set the block buffer head in any of path[x].bp_bh, leaving it as the initial value of NULL, but if the level of the b-tree root node is greater than 1, nilfs_btree_get_nonroot_node(), which accesses the buffer memory of path[x].bp_bh, is called. Fix this issue by adding a check to nilfs_btree_root_broken(), which performs sanity checks when reading the root node from the device, to detect this inconsistency. Thanks to Lizhi Xu for trying to solve the bug and clarifying the cause early on.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47699.html
CVE-2024-47699
https://bugzilla.suse.com/1231916
SUSE Bug 1231916

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid OOB when system.data xattr changes underneath the filesystem When looking up for an entry in an inlined directory, if e_value_offs is changed underneath the filesystem by some change in the block device, it will lead to an out-of-bounds access that KASAN detects as an UAF. EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: none. loop0: detected capacity change from 2048 to 2047 ================================================================== BUG: KASAN: use-after-free in ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 Read of size 1 at addr ffff88803e91130f by task syz-executor269/5103 CPU: 0 UID: 0 PID: 5103 Comm: syz-executor269 Not tainted 6.11.0-rc4-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 ext4_search_dir+0xf2/0x1c0 fs/ext4/namei.c:1500 ext4_find_inline_entry+0x4be/0x5e0 fs/ext4/inline.c:1697 __ext4_find_entry+0x2b4/0x1b30 fs/ext4/namei.c:1573 ext4_lookup_entry fs/ext4/namei.c:1727 [inline] ext4_lookup+0x15f/0x750 fs/ext4/namei.c:1795 lookup_one_qstr_excl+0x11f/0x260 fs/namei.c:1633 filename_create+0x297/0x540 fs/namei.c:3980 do_symlinkat+0xf9/0x3a0 fs/namei.c:4587 __do_sys_symlinkat fs/namei.c:4610 [inline] __se_sys_symlinkat fs/namei.c:4607 [inline] __x64_sys_symlinkat+0x95/0xb0 fs/namei.c:4607 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f3e73ced469 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 21 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fff4d40c258 EFLAGS: 00000246 ORIG_RAX: 000000000000010a RAX: ffffffffffffffda RBX: 0032656c69662f2e RCX: 00007f3e73ced469 RDX: 0000000020000200 RSI: 00000000ffffff9c RDI: 00000000200001c0 RBP: 0000000000000000 R08: 00007fff4d40c290 R09: 00007fff4d40c290 R10: 0023706f6f6c2f76 R11: 0000000000000246 R12: 00007fff4d40c27c R13: 0000000000000003 R14: 431bde82d7b634db R15: 00007fff4d40c2b0 </TASK> Calling ext4_xattr_ibody_find right after reading the inode with ext4_get_inode_loc will lead to a check of the validity of the xattrs, avoiding this problem.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47701.html
CVE-2024-47701
https://bugzilla.suse.com/1225742
SUSE Bug 1225742
https://bugzilla.suse.com/1231920
SUSE Bug 1231920

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check link_res->hpo_dp_link_enc before using it [WHAT & HOW] Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res without initializing hpo_dp_link_enc and it is necessary to check for null before dereferencing. This fixes 2 FORWARD_NULL issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47704.html
CVE-2024-47704
https://bugzilla.suse.com/1231944
SUSE Bug 1231944

Описание

In the Linux kernel, the following vulnerability has been resolved: block: fix potential invalid pointer dereference in blk_add_partition The blk_add_partition() function initially used a single if-condition (IS_ERR(part)) to check for errors when adding a partition. This was modified to handle the specific case of -ENXIO separately, allowing the function to proceed without logging the error in this case. However, this change unintentionally left a path where md_autodetect_dev() could be called without confirming that part is a valid pointer. This commit separates the error handling logic by splitting the initial if-condition, improving code readability and handling specific error scenarios explicitly. The function now distinguishes the general error case from -ENXIO without altering the existing behavior of md_autodetect_dev() calls.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47705.html
CVE-2024-47705
https://bugzilla.suse.com/1231872
SUSE Bug 1231872

Описание

In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible UAF for bfqq->bic with merge chain 1) initial state, three tasks: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | Λ | Λ | Λ | | | | | | V | V | V | bfqq1 bfqq2 bfqq3 process ref: 1 1 1 2) bfqq1 merged to bfqq2: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) | | | Λ \--------------\| | | V V | bfqq1--------->bfqq2 bfqq3 process ref: 0 2 1 3) bfqq2 merged to bfqq3: Process 1 Process 2 Process 3 (BIC1) (BIC2) (BIC3) here -> Λ | | \--------------\ \-------------\| V V bfqq1--------->bfqq2---------->bfqq3 process ref: 0 1 3 In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then get bfqq3 through merge chain, and finially handle IO by bfqq3. Howerver, current code will think bfqq2 is owned by BIC1, like initial state, and set bfqq2->bic to BIC1. bfq_insert_request -> by Process 1 bfqq = bfq_init_rq(rq) bfqq = bfq_get_bfqq_handle_split bfqq = bic_to_bfqq -> get bfqq2 from BIC1 bfqq->ref++ rq->elv.priv[0] = bic rq->elv.priv[1] = bfqq if (bfqq_process_refs(bfqq) == 1) bfqq->bic = bic -> record BIC1 to bfqq2 __bfq_insert_request new_bfqq = bfq_setup_cooperator -> get bfqq3 from bfqq2->new_bfqq bfqq_request_freed(bfqq) new_bfqq->ref++ rq->elv.priv[1] = new_bfqq -> handle IO by bfqq3 Fix the problem by checking bfqq is from merge chain fist. And this might fix a following problem reported by our syzkaller(unreproducible): ================================================================== BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595 CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Workqueue: kblockd blk_mq_requeue_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x10d/0x610 mm/kasan/report.c:475 kasan_report+0x8e/0xc0 mm/kasan/report.c:588 bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline] bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline] bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889 bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757 bfq_init_rq block/bfq-iosched.c:6876 [inline] bfq_insert_request block/bfq-iosched.c:6254 [inline] bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304 blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593 blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502 process_one_work kernel/workqueue.c:2627 [inline] process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700 worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781 kthread+0x33c/0x440 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305 </TASK> Allocated by task 20776: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:188 [inline] slab_post_alloc_hook mm/slab.h:763 [inline] slab_alloc_node mm/slub.c:3458 [inline] kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503 ioc_create_icq block/blk-ioc.c:370 [inline] ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47706.html
CVE-2024-47706
https://bugzilla.suse.com/1231942
SUSE Bug 1231942
https://bugzilla.suse.com/1231943
SUSE Bug 1231943

Описание

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Blamed commit accidentally removed a check for rt->rt6i_idev being NULL, as spotted by syzbot: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 UID: 0 PID: 10998 Comm: syz-executor Not tainted 6.11.0-rc6-syzkaller-00208-g625403177711 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline] RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914 Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06 RSP: 0018:ffffc900047374e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0 RBP: ffffc900047375d0 R08: 0000000000000003 R09: fffff520008e6e8c R10: dffffc0000000000 R11: fffff520008e6e8c R12: 1ffff1100fdf8f18 R13: ffff88807efc7998 R14: 0000000000000000 R15: ffff88807efc7930 FS: 0000000000000000(0000) GS:ffff8880b8900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002a80 CR3: 0000000022f62000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> addrconf_ifdown+0x15d/0x1bd0 net/ipv6/addrconf.c:3856 addrconf_notify+0x3cb/0x1020 notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93 call_netdevice_notifiers_extack net/core/dev.c:2032 [inline] call_netdevice_notifiers net/core/dev.c:2046 [inline] unregister_netdevice_many_notify+0xd81/0x1c40 net/core/dev.c:11352 unregister_netdevice_many net/core/dev.c:11414 [inline] unregister_netdevice_queue+0x303/0x370 net/core/dev.c:11289 unregister_netdevice include/linux/netdevice.h:3129 [inline] __tun_detach+0x6b9/0x1600 drivers/net/tun.c:685 tun_detach drivers/net/tun.c:701 [inline] tun_chr_close+0x108/0x1b0 drivers/net/tun.c:3510 __fput+0x24a/0x8a0 fs/file_table.c:422 task_work_run+0x24f/0x310 kernel/task_work.c:228 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x27f0 kernel/exit.c:882 do_group_exit+0x207/0x2c0 kernel/exit.c:1031 __do_sys_exit_group kernel/exit.c:1042 [inline] __se_sys_exit_group kernel/exit.c:1040 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f1acc77def9 Code: Unable to access opcode bytes at 0x7f1acc77decf. RSP: 002b:00007ffeb26fa738 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1acc77def9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000043 RBP: 00007f1acc7dd508 R08: 00007ffeb26f84d7 R09: 0000000000000003 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000003 R14: 00000000ffffffff R15: 00007ffeb26fa8e0 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:rt6_uncached_list_flush_dev net/ipv6/route.c:177 [inline] RIP: 0010:rt6_disable_ip+0x33e/0x7e0 net/ipv6/route.c:4914 Code: 41 80 3c 04 00 74 0a e8 90 d0 9b f7 48 8b 7c 24 08 48 8b 07 48 89 44 24 10 4c 89 f0 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 f7 e8 64 d0 9b f7 48 8b 44 24 18 49 39 06 RSP: 0018:ffffc900047374e0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 1ffff1100fdf8f33 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88807efc78c0 R ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47707.html
CVE-2024-47707
https://bugzilla.suse.com/1231935
SUSE Bug 1231935

Описание

In the Linux kernel, the following vulnerability has been resolved: can: bcm: Clear bo->bcm_proc_read after remove_proc_entry(). syzbot reported a warning in bcm_release(). [0] The blamed change fixed another warning that is triggered when connect() is issued again for a socket whose connect()ed device has been unregistered. However, if the socket is just close()d without the 2nd connect(), the remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry() in bcm_release(). Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify(). [0] name '4986' WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711 Modules linked in: CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711 Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07 RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246 RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640 R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> bcm_release+0x250/0x880 net/can/bcm.c:1578 __sock_release net/socket.c:659 [inline] sock_close+0xbc/0x240 net/socket.c:1421 __fput+0x24a/0x8a0 fs/file_table.c:422 task_work_run+0x24f/0x310 kernel/task_work.c:228 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xa2f/0x27f0 kernel/exit.c:882 do_group_exit+0x207/0x2c0 kernel/exit.c:1031 __do_sys_exit_group kernel/exit.c:1042 [inline] __se_sys_exit_group kernel/exit.c:1040 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040 x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcfb51ee969 Code: Unable to access opcode bytes at 0x7fcfb51ee93f. RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969 RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001 RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000 R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0 R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47709.html
CVE-2024-47709
https://bugzilla.suse.com/1232048
SUSE Bug 1232048

Описание

In the Linux kernel, the following vulnerability has been resolved: sock_map: Add a cond_resched() in sock_hash_free() Several syzbot soft lockup reports all have in common sock_hash_free() If a map with a large number of buckets is destroyed, we need to yield the cpu when needed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47710.html
CVE-2024-47710
https://bugzilla.suse.com/1232049
SUSE Bug 1232049

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: fix potential RCU dereference issue in wilc_parse_join_bss_param In the `wilc_parse_join_bss_param` function, the TSF field of the `ies` structure is accessed after the RCU read-side critical section is unlocked. According to RCU usage rules, this is illegal. Reusing this pointer can lead to unpredictable behavior, including accessing memory that has been updated or causing use-after-free issues. This possible bug was identified using a static analysis tool developed by myself, specifically designed to detect RCU-related issues. To address this, the TSF value is now stored in a local variable `ies_tsf` before the RCU lock is released. The `param->tsf_lo` field is then assigned using this local variable, ensuring that the TSF value is safely accessed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47712.html
CVE-2024-47712
https://bugzilla.suse.com/1232017
SUSE Bug 1232017

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: use two-phase skb reclamation in ieee80211_do_stop() Since '__dev_queue_xmit()' should be called with interrupts enabled, the following backtrace: ieee80211_do_stop() ... spin_lock_irqsave(&local->queue_stop_reason_lock, flags) ... ieee80211_free_txskb() ieee80211_report_used_skb() ieee80211_report_ack_skb() cfg80211_mgmt_tx_status_ext() nl80211_frame_tx_status() genlmsg_multicast_netns() genlmsg_multicast_netns_filtered() nlmsg_multicast_filtered() netlink_broadcast_filtered() do_one_broadcast() netlink_broadcast_deliver() __netlink_sendskb() netlink_deliver_tap() __netlink_deliver_tap_skb() dev_queue_xmit() __dev_queue_xmit() ; with IRQS disabled ... spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags) issues the warning (as reported by syzbot reproducer): WARNING: CPU: 2 PID: 5128 at kernel/softirq.c:362 __local_bh_enable_ip+0xc3/0x120 Fix this by implementing a two-phase skb reclamation in 'ieee80211_do_stop()', where actual work is performed outside of a section with interrupts disabled.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47713.html
CVE-2024-47713
https://bugzilla.suse.com/1232016
SUSE Bug 1232016

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: always wait for both firmware loading attempts In 'rtw_wait_firmware_completion()', always wait for both (regular and wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue 'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually the wowlan one) is still in progress, causing UAF detected by KASAN.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47718.html
CVE-2024-47718
https://bugzilla.suse.com/1232015
SUSE Bug 1232015

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for set_output_gamma in dcn30_set_output_transfer_func This commit adds a null check for the set_output_gamma function pointer in the dcn30_set_output_transfer_func function. Previously, set_output_gamma was being checked for nullity at line 386, but then it was being dereferenced without any nullity check at line 401. This could potentially lead to a null pointer dereference error if set_output_gamma is indeed null. To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a nullity check for set_output_gamma before the call to set_output_gamma at line 401. If set_output_gamma is null, we log an error message and do not call the function. This fix prevents a potential null pointer dereference error. drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:401 dcn30_set_output_transfer_func() error: we previously assumed 'mpc->funcs->set_output_gamma' could be null (see line 386) drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c 373 bool dcn30_set_output_transfer_func(struct dc *dc, 374 struct pipe_ctx *pipe_ctx, 375 const struct dc_stream_state *stream) 376 { 377 int mpcc_id = pipe_ctx->plane_res.hubp->inst; 378 struct mpc *mpc = pipe_ctx->stream_res.opp->ctx->dc->res_pool->mpc; 379 const struct pwl_params *params = NULL; 380 bool ret = false; 381 382 /* program OGAM or 3DLUT only for the top pipe*/ 383 if (pipe_ctx->top_pipe == NULL) { 384 /*program rmu shaper and 3dlut in MPC*/ 385 ret = dcn30_set_mpc_shaper_3dlut(pipe_ctx, stream); 386 if (ret == false && mpc->funcs->set_output_gamma) { ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this is NULL 387 if (stream->out_transfer_func.type == TF_TYPE_HWPWL) 388 params = &stream->out_transfer_func.pwl; 389 else if (pipe_ctx->stream->out_transfer_func.type == 390 TF_TYPE_DISTRIBUTED_POINTS && 391 cm3_helper_translate_curve_to_hw_format( 392 &stream->out_transfer_func, 393 &mpc->blender_params, false)) 394 params = &mpc->blender_params; 395 /* there are no ROM LUTs in OUTGAM */ 396 if (stream->out_transfer_func.type == TF_TYPE_PREDEFINED) 397 BREAK_TO_DEBUGGER(); 398 } 399 } 400 --> 401 mpc->funcs->set_output_gamma(mpc, mpcc_id, params); ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Then it will crash 402 return ret; 403 }

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47720.html
CVE-2024-47720
https://bugzilla.suse.com/1232043
SUSE Bug 1232043

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: fix out-of-bounds in dbNextAG() and diAlloc() In dbNextAG() , there is no check for the case where bmp->db_numag is greater or same than MAXAG due to a polluted image, which causes an out-of-bounds. Therefore, a bounds check should be added in dbMount(). And in dbNextAG(), a check for the case where agpref is greater than bmp->db_numag should be added, so an out-of-bounds exception should be prevented. Additionally, a check for the case where agno is greater or same than MAXAG should be added in diAlloc() to prevent out-of-bounds.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47723.html
CVE-2024-47723
https://bugzilla.suse.com/1232050
SUSE Bug 1232050
https://bugzilla.suse.com/1232051
SUSE Bug 1232051

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/tdx: Fix "in-kernel MMIO" check TDX only supports kernel-initiated MMIO operations. The handle_mmio() function checks if the #VE exception occurred in the kernel and rejects the operation if it did not. However, userspace can deceive the kernel into performing MMIO on its behalf. For example, if userspace can point a syscall to an MMIO address, syscall does get_user() or put_user() on it, triggering MMIO #VE. The kernel will treat the #VE as in-kernel MMIO. Ensure that the target MMIO address is within the kernel before decoding instruction.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47727.html
CVE-2024-47727
https://bugzilla.suse.com/1232116
SUSE Bug 1232116

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input arguments, zero the value for the case of an error as otherwise it could leak memory. For tracing, it is not needed given CAP_PERFMON can already read all kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped in here. Also, the MTU helpers mtu_len pointer value is being written but also read. Technically, the MEM_UNINIT should not be there in order to always force init. Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now implies two things actually: i) write into memory, ii) memory does not have to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory, ii) memory must be initialized. This means that for bpf_*_check_mtu() we're readding the issue we're trying to fix, that is, it would then be able to write back into things like .rodata BPF maps. Follow-up work will rework the MEM_UNINIT semantics such that the intent can be better expressed. For now just clear the *mtu_len on error path which can be lifted later again.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47728.html
CVE-2024-47728
https://bugzilla.suse.com/1232076
SUSE Bug 1232076

Описание

In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - inject error before stopping queue The master ooo cannot be completely closed when the accelerator core reports memory error. Therefore, the driver needs to inject the qm error to close the master ooo. Currently, the qm error is injected after stopping queue, memory may be released immediately after stopping queue, causing the device to access the released memory. Therefore, error is injected to close master ooo before stopping queue to ensure that the device does not access the released memory.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47730.html
CVE-2024-47730
https://bugzilla.suse.com/1232075
SUSE Bug 1232075

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix spin_unlock_irqrestore() called with IRQs enabled Fix missuse of spin_lock_irq()/spin_unlock_irq() when spin_lock_irqsave()/spin_lock_irqrestore() was hold. This was discovered through the lock debugging, and the corresponding log is as follows: raw_local_irq_restore() called with IRQs enabled WARNING: CPU: 96 PID: 2074 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x30/0x40 ... Call trace: warn_bogus_irq_restore+0x30/0x40 _raw_spin_unlock_irqrestore+0x84/0xc8 add_qp_to_list+0x11c/0x148 [hns_roce_hw_v2] hns_roce_create_qp_common.constprop.0+0x240/0x780 [hns_roce_hw_v2] hns_roce_create_qp+0x98/0x160 [hns_roce_hw_v2] create_qp+0x138/0x258 ib_create_qp_kernel+0x50/0xe8 create_mad_qp+0xa8/0x128 ib_mad_port_open+0x218/0x448 ib_mad_init_device+0x70/0x1f8 add_client_context+0xfc/0x220 enable_device_and_get+0xd0/0x140 ib_register_device.part.0+0xf4/0x1c8 ib_register_device+0x34/0x50 hns_roce_register_device+0x174/0x3d0 [hns_roce_hw_v2] hns_roce_init+0xfc/0x2c0 [hns_roce_hw_v2] __hns_roce_hw_v2_init_instance+0x7c/0x1d0 [hns_roce_hw_v2] hns_roce_hw_v2_init_instance+0x9c/0x180 [hns_roce_hw_v2]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47735.html
CVE-2024-47735
https://bugzilla.suse.com/1232111
SUSE Bug 1232111

Описание

In the Linux kernel, the following vulnerability has been resolved: nfsd: call cache_put if xdr_reserve_space returns NULL If not enough buffer space available, but idmap_lookup has triggered lookup_fn which calls cache_get and returns successfully. Then we missed to call cache_put here which pairs with cache_get. Reviwed-by: Jeff Layton <jlayton@kernel.org>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47737.html
CVE-2024-47737
https://bugzilla.suse.com/1232056
SUSE Bug 1232056

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: don't use rate mask for offchannel TX either Like the commit ab9177d83c04 ("wifi: mac80211: don't use rate mask for scanning"), ignore incorrect settings to avoid no supported rate warning reported by syzbot. The syzbot did bisect and found cause is commit 9df66d5b9f45 ("cfg80211: fix default HE tx bitrate mask in 2G band"), which however corrects bitmask of HE MCS and recognizes correctly settings of empty legacy rate plus HE MCS rate instead of returning -EINVAL. As suggestions [1], follow the change of SCAN TX to consider this case of offchannel TX as well. [1] https://lore.kernel.org/linux-wireless/6ab2dc9c3afe753ca6fdcdd1421e7a1f47e87b84.camel@sipsolutions.net/T/#m2ac2a6d2be06a37c9c47a3d8a44b4f647ed4f024

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47738.html
CVE-2024-47738
https://bugzilla.suse.com/1232114
SUSE Bug 1232114

Описание

In the Linux kernel, the following vulnerability has been resolved: padata: use integer wrap around to prevent deadlock on seq_nr overflow When submitting more than 2^32 padata objects to padata_do_serial, the current sorting implementation incorrectly sorts padata objects with overflowed seq_nr, causing them to be placed before existing objects in the reorder list. This leads to a deadlock in the serialization process as padata_find_next cannot match padata->seq_nr and pd->processed because the padata instance with overflowed seq_nr will be selected next. To fix this, we use an unsigned integer wrap around to correctly sort padata objects in scenarios with integer overflow.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47739.html
CVE-2024-47739
https://bugzilla.suse.com/1232124
SUSE Bug 1232124

Описание

In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Block path traversal Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47742.html
CVE-2024-47742
https://bugzilla.suse.com/1232126
SUSE Bug 1232126

Описание

In the Linux kernel, the following vulnerability has been resolved: mm: call the security_mmap_file() LSM hook in remap_file_pages() The remap_file_pages syscall handler calls do_mmap() directly, which doesn't contain the LSM security check. And if the process has called personality(READ_IMPLIES_EXEC) before and remap_file_pages() is called for RW pages, this will actually result in remapping the pages to RWX, bypassing a W^X policy enforced by SELinux. So we should check prot by security_mmap_file LSM hook in the remap_file_pages syscall handler before do_mmap() is called. Otherwise, it potentially permits an attacker to bypass a W^X policy enforced by SELinux. The bypass is similar to CVE-2016-10044, which bypass the same thing via AIO and can be found in [1]. The PoC: $ cat > test.c int main(void) { size_t pagesz = sysconf(_SC_PAGE_SIZE); int mfd = syscall(SYS_memfd_create, "test", 0); const char *buf = mmap(NULL, 4 * pagesz, PROT_READ | PROT_WRITE, MAP_SHARED, mfd, 0); unsigned int old = syscall(SYS_personality, 0xffffffff); syscall(SYS_personality, READ_IMPLIES_EXEC | old); syscall(SYS_remap_file_pages, buf, pagesz, 0, 2, 0); syscall(SYS_personality, old); // show the RWX page exists even if W^X policy is enforced int fd = open("/proc/self/maps", O_RDONLY); unsigned char buf2[1024]; while (1) { int ret = read(fd, buf2, 1024); if (ret <= 0) break; write(1, buf2, ret); } close(fd); } $ gcc test.c -o test $ ./test | grep rwx 7f1836c34000-7f1836c35000 rwxs 00002000 00:01 2050 /memfd:test (deleted) [PM: subject line tweaks]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47745.html
CVE-2024-47745
https://bugzilla.suse.com/1232135
SUSE Bug 1232135

Описание

In the Linux kernel, the following vulnerability has been resolved: net: seeq: Fix use after free vulnerability in ether3 Driver Due to Race Condition In the ether3_probe function, a timer is initialized with a callback function ether3_ledoff, bound to &prev(dev)->timer. Once the timer is started, there is a risk of a race condition if the module or device is removed, triggering the ether3_remove function to perform cleanup. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ether3_ledoff ether3_remove | free_netdev(dev); | put_devic | kfree(dev); | | ether3_outw(priv(dev)->regs.config2 |= CFG2_CTRLO, REG_CONFIG2); | // use dev Fix it by ensuring that the timer is canceled before proceeding with the cleanup in ether3_remove.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47747.html
CVE-2024-47747
https://bugzilla.suse.com/1232145
SUSE Bug 1232145
https://bugzilla.suse.com/1232146
SUSE Bug 1232146

Описание

In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: assign irq bypass producer token correctly We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not. Actually, we use the eventfd_ctx as the token so the life cycle of the token should be bound to the VHOST_SET_VRING_CALL instead of vhost_vdpa_setup_vq_irq() which could be called by set_status(). Fixing this by setting up irq bypass producer's token when handling VHOST_SET_VRING_CALL and un-registering the producer before calling vhost_vring_ioctl() to prevent a possible use after free as eventfd could have been released in vhost_vring_ioctl(). And such registering and unregistering will only be done if DRIVER_OK is set.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47748.html
CVE-2024-47748
https://bugzilla.suse.com/1232174
SUSE Bug 1232174
https://bugzilla.suse.com/1232177
SUSE Bug 1232177

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/cxgb4: Added NULL check for lookup_atid The lookup_atid() function can return NULL if the ATID is invalid or does not exist in the identifier table, which could lead to dereferencing a null pointer without a check in the `act_establish()` and `act_open_rpl()` functions. Add a NULL check to prevent null pointer dereferencing. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47749.html
CVE-2024-47749
https://bugzilla.suse.com/1232180
SUSE Bug 1232180

Описание

In the Linux kernel, the following vulnerability has been resolved: PCI: keystone: Fix if-statement expression in ks_pcie_quirk() This code accidentally uses && where || was intended. It potentially results in a NULL dereference. Thus, fix the if-statement expression to use the correct condition. [kwilczynski: commit log]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47756.html
CVE-2024-47756
https://bugzilla.suse.com/1232185
SUSE Bug 1232185

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential oob read in nilfs_btree_check_delete() The function nilfs_btree_check_delete(), which checks whether degeneration to direct mapping occurs before deleting a b-tree entry, causes memory access outside the block buffer when retrieving the maximum key if the root node has no entries. This does not usually happen because b-tree mappings with 0 child nodes are never created by mkfs.nilfs2 or nilfs2 itself. However, it can happen if the b-tree root node read from a device is configured that way, so fix this potential issue by adding a check for that case.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-47757.html
CVE-2024-47757
https://bugzilla.suse.com/1232187
SUSE Bug 1232187
https://bugzilla.suse.com/1232188
SUSE Bug 1232188

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: correctly handle malformed BPF_CORE_TYPE_ID_LOCAL relos In case of malformed relocation record of kind BPF_CORE_TYPE_ID_LOCAL referencing a non-existing BTF type, function bpf_core_calc_relo_insn would cause a null pointer deference. Fix this by adding a proper check upper in call stack, as malformed relocation records could be passed from user space. Simplest reproducer is a program: r0 = 0 exit With a single relocation record: .insn_off = 0, /* patch first instruction */ .type_id = 100500, /* this type id does not exist */ .access_str_off = 6, /* offset of string "0" */ .kind = BPF_CORE_TYPE_ID_LOCAL, See the link for original reproducer or next commit for a test case.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49850.html
CVE-2024-49850
https://bugzilla.suse.com/1232189
SUSE Bug 1232189

Описание

In the Linux kernel, the following vulnerability has been resolved: tpm: Clean up TPM space after command failure tpm_dev_transmit prepares the TPM space before attempting command transmission. However if the command fails no rollback of this preparation is done. This can result in transient handles being leaked if the device is subsequently closed with no further commands performed. Fix this by flushing the space in the event of command transmission failure.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49851.html
CVE-2024-49851
https://bugzilla.suse.com/1232134
SUSE Bug 1232134

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: elx: libefc: Fix potential use after free in efc_nport_vport_del() The kref_put() function will call nport->release if the refcount drops to zero. The nport->release release function is _efc_nport_free() which frees "nport". But then we dereference "nport" on the next line which is a use after free. Re-order these lines to avoid the use after free.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49852.html
CVE-2024-49852
https://bugzilla.suse.com/1232819
SUSE Bug 1232819

Описание

In the Linux kernel, the following vulnerability has been resolved: nbd: fix race between timeout and normal completion If request timetout is handled by nbd_requeue_cmd(), normal completion has to be stopped for avoiding to complete this requeued request, other use-after-free can be triggered. Fix the race by clearing NBD_CMD_INFLIGHT in nbd_requeue_cmd(), meantime make sure that cmd->lock is grabbed for clearing the flag and the requeue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49855.html
CVE-2024-49855
https://bugzilla.suse.com/1232195
SUSE Bug 1232195
https://bugzilla.suse.com/1232900
SUSE Bug 1232900

Описание

In the Linux kernel, the following vulnerability has been resolved: efistub/tpm: Use ACPI reclaim memory for event log to avoid corruption The TPM event log table is a Linux specific construct, where the data produced by the GetEventLog() boot service is cached in memory, and passed on to the OS using an EFI configuration table. The use of EFI_LOADER_DATA here results in the region being left unreserved in the E820 memory map constructed by the EFI stub, and this is the memory description that is passed on to the incoming kernel by kexec, which is therefore unaware that the region should be reserved. Even though the utility of the TPM2 event log after a kexec is questionable, any corruption might send the parsing code off into the weeds and crash the kernel. So let's use EFI_ACPI_RECLAIM_MEMORY instead, which is always treated as reserved by the E820 conversion logic.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49858.html
CVE-2024-49858
https://bugzilla.suse.com/1232251
SUSE Bug 1232251

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: sysfs: validate return type of _STR method Only buffer objects are valid return values of _STR. If something else is returned description_show() will access invalid memory.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49860.html
CVE-2024-49860
https://bugzilla.suse.com/1231861
SUSE Bug 1231861
https://bugzilla.suse.com/1231862
SUSE Bug 1231862

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix helper writes to read-only maps Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT} as arguments. In check_func_arg() when the argument is as mentioned, the meta->raw_mode is never set. Later, check_helper_mem_access(), under the case of PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the subsequent call to check_map_access_type() and given the BPF map is read-only it succeeds. The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it's okay to pass a pointer to uninitialized memory as the memory is written to anyway. However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM just with additional alignment requirement. So it is better to just get rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the fixed size memory types. For this, add MEM_ALIGNED to additionally ensure alignment given these helpers write directly into the args via *<ptr> = val. The .arg*_size has been initialized reflecting the actual sizeof(*<ptr>). MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated argument types, since in !MEM_FIXED_SIZE cases the verifier does not know the buffer size a priori and therefore cannot blindly write *<ptr> = val.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49861.html
CVE-2024-49861
https://bugzilla.suse.com/1232254
SUSE Bug 1232254

Описание

In the Linux kernel, the following vulnerability has been resolved: vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler") a null pointer dereference bug can be triggered when guest sends an SCSI AN request. In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with `&v_req.tmf.lun[1]` within a switch-case block and is then passed to vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is set to NULL in this branch. Later, in vhost_scsi_get_req(), `vc->target` is dereferenced without being checked, leading to a null pointer dereference bug. This bug can be triggered from guest. When this bug occurs, the vhost_worker process is killed while holding `vq->mutex` and the corresponding tpg will remain occupied indefinitely. Below is the KASAN report: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:vhost_scsi_get_req+0x165/0x3a0 Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6 04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00 RSP: 0018:ffff888017affb50 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8 RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000 FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0 Call Trace: <TASK> ? show_regs+0x86/0xa0 ? die_addr+0x4b/0xd0 ? exc_general_protection+0x163/0x260 ? asm_exc_general_protection+0x27/0x30 ? vhost_scsi_get_req+0x165/0x3a0 vhost_scsi_ctl_handle_vq+0x2a4/0xca0 ? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10 ? __switch_to+0x721/0xeb0 ? __schedule+0xda5/0x5710 ? __kasan_check_write+0x14/0x30 ? _raw_spin_lock+0x82/0xf0 vhost_scsi_ctl_handle_kick+0x52/0x90 vhost_run_work_list+0x134/0x1b0 vhost_task_fn+0x121/0x350 ... </TASK> ---[ end trace 0000000000000000 ]--- Let's add a check in vhost_scsi_get_req. [whitespace fixes]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49863.html
CVE-2024-49863
https://bugzilla.suse.com/1232255
SUSE Bug 1232255

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Fix a race during cpuhp processing There is another found exception that the "timerlat/1" thread was scheduled on CPU0, and lead to timer corruption finally: ``` ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220 WARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0 Modules linked in: CPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:debug_print_object+0x7d/0xb0 ... Call Trace: <TASK> ? __warn+0x7c/0x110 ? debug_print_object+0x7d/0xb0 ? report_bug+0xf1/0x1d0 ? prb_read_valid+0x17/0x20 ? handle_bug+0x3f/0x70 ? exc_invalid_op+0x13/0x60 ? asm_exc_invalid_op+0x16/0x20 ? debug_print_object+0x7d/0xb0 ? debug_print_object+0x7d/0xb0 ? __pfx_timerlat_irq+0x10/0x10 __debug_object_init+0x110/0x150 hrtimer_init+0x1d/0x60 timerlat_main+0xab/0x2d0 ? __pfx_timerlat_main+0x10/0x10 kthread+0xb7/0xe0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ``` After tracing the scheduling event, it was discovered that the migration of the "timerlat/1" thread was performed during thread creation. Further analysis confirmed that it is because the CPU online processing for osnoise is implemented through workers, which is asynchronous with the offline processing. When the worker was scheduled to create a thread, the CPU may has already been removed from the cpu_online_mask during the offline process, resulting in the inability to select the right CPU: T1 | T2 [CPUHP_ONLINE] | cpu_device_down() osnoise_hotplug_workfn() | | cpus_write_lock() | takedown_cpu(1) | cpus_write_unlock() [CPUHP_OFFLINE] | cpus_read_lock() | start_kthread(1) | cpus_read_unlock() | To fix this, skip online processing if the CPU is already offline.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49866.html
CVE-2024-49866
https://bugzilla.suse.com/1232259
SUSE Bug 1232259

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: wait for fixup workers before stopping cleaner kthread during umount During unmount, at close_ctree(), we have the following steps in this order: 1) Park the cleaner kthread - this doesn't destroy the kthread, it basically halts its execution (wake ups against it work but do nothing); 2) We stop the cleaner kthread - this results in freeing the respective struct task_struct; 3) We call btrfs_stop_all_workers() which waits for any jobs running in all the work queues and then free the work queues. Syzbot reported a case where a fixup worker resulted in a crash when doing a delayed iput on its inode while attempting to wake up the cleaner at btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread was already freed. This can happen during unmount because we don't wait for any fixup workers still running before we call kthread_stop() against the cleaner kthread, which stops and free all its resources. Fix this by waiting for any fixup workers at close_ctree() before we call kthread_stop() against the cleaner and run pending delayed iputs. The stack traces reported by syzbot were the following: BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: btrfs-fixup btrfs_work_helper Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065 lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162 class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154 btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842 btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 2: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:247 [inline] slab_post_alloc_hook mm/slub.c:4086 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187 alloc_task_struct_node kernel/fork.c:180 [inline] dup_task_struct+0x57/0x8c0 kernel/fork.c:1107 copy_process+0x5d1/0x3d50 kernel/fork.c:2206 kernel_clone+0x223/0x880 kernel/fork.c:2787 kernel_thread+0x1bc/0x240 kernel/fork.c:2849 create_kthread kernel/kthread.c:412 [inline] kthreadd+0x60d/0x810 kernel/kthread.c:765 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 Freed by task 61: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x59/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_h ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49867.html
CVE-2024-49867
https://bugzilla.suse.com/1232262
SUSE Bug 1232262
https://bugzilla.suse.com/1232271
SUSE Bug 1232271

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a NULL pointer dereference when failed to start a new trasacntion [BUG] Syzbot reported a NULL pointer dereference with the following crash: FAULT_INJECTION: forcing a failure. start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676 prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642 relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678 ... BTRFS info (device loop0): balance: ended with status: -12 Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667] RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926 Call Trace: <TASK> commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496 btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430 del_balance_item fs/btrfs/volumes.c:3678 [inline] reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742 btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574 btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [CAUSE] The allocation failure happens at the start_transaction() inside prepare_to_relocate(), and during the error handling we call unset_reloc_control(), which makes fs_info->balance_ctl to be NULL. Then we continue the error path cleanup in btrfs_balance() by calling reset_balance_state() which will call del_balance_item() to fully delete the balance item in the root tree. However during the small window between set_reloc_contrl() and unset_reloc_control(), we can have a subvolume tree update and created a reloc_root for that subvolume. Then we go into the final btrfs_commit_transaction() of del_balance_item(), and into btrfs_update_reloc_root() inside commit_fs_roots(). That function checks if fs_info->reloc_ctl is in the merge_reloc_tree stage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer dereference. [FIX] Just add extra check on fs_info->reloc_ctl inside btrfs_update_reloc_root(), before checking fs_info->reloc_ctl->merge_reloc_tree. That DEAD_RELOC_TREE handling is to prevent further modification to the reloc tree during merge stage, but since there is no reloc_ctl at all, we do not need to bother that.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49868.html
CVE-2024-49868
https://bugzilla.suse.com/1232272
SUSE Bug 1232272

Описание

In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix dentry leak in cachefiles_open_file() A dentry leak may be caused when a lookup cookie and a cull are concurrent: P1 | P2 ----------------------------------------------------------- cachefiles_lookup_cookie cachefiles_look_up_object lookup_one_positive_unlocked // get dentry cachefiles_cull inode->i_flags |= S_KERNEL_FILE; cachefiles_open_file cachefiles_mark_inode_in_use __cachefiles_mark_inode_in_use can_use = false if (!(inode->i_flags & S_KERNEL_FILE)) can_use = true return false return false // Returns an error but doesn't put dentry After that the following WARNING will be triggered when the backend folder is umounted: ================================================================== BUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img} still in use (1) [unmount of ext4 sda] WARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70 CPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25 RIP: 0010:umount_check+0x5d/0x70 Call Trace: <TASK> d_walk+0xda/0x2b0 do_one_tree+0x20/0x40 shrink_dcache_for_umount+0x2c/0x90 generic_shutdown_super+0x20/0x160 kill_block_super+0x1a/0x40 ext4_kill_sb+0x22/0x40 deactivate_locked_super+0x35/0x80 cleanup_mnt+0x104/0x160 ================================================================== Whether cachefiles_open_file() returns true or false, the reference count obtained by lookup_positive_unlocked() in cachefiles_look_up_object() should be released. Therefore release that reference count in cachefiles_look_up_object() to fix the above issue and simplify the code.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49870.html
CVE-2024-49870
https://bugzilla.suse.com/1232279
SUSE Bug 1232279

Описание

In the Linux kernel, the following vulnerability has been resolved: Input: adp5589-keys - fix NULL pointer dereference We register a devm action to call adp5589_clear_config() and then pass the i2c client as argument so that we can call i2c_get_clientdata() in order to get our device object. However, i2c_set_clientdata() is only being set at the end of the probe function which means that we'll get a NULL pointer dereference in case the probe function fails early.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49871.html
CVE-2024-49871
https://bugzilla.suse.com/1232287
SUSE Bug 1232287

Описание

In the Linux kernel, the following vulnerability has been resolved: nfsd: map the EBADMSG to nfserr_io to avoid warning Ext4 will throw -EBADMSG through ext4_readdir when a checksum error occurs, resulting in the following WARNING. Fix it by mapping EBADMSG to nfserr_io. nfsd_buffered_readdir iterate_dir // -EBADMSG -74 ext4_readdir // .iterate_shared ext4_dx_readdir ext4_htree_fill_tree htree_dirblock_to_tree ext4_read_dirblock __ext4_read_dirblock ext4_dirblock_csum_verify warn_no_space_for_csum __warn_no_space_for_csum return ERR_PTR(-EFSBADCRC) // -EBADMSG -74 nfserrno // WARNING [ 161.115610] ------------[ cut here ]------------ [ 161.116465] nfsd: non-standard errno: -74 [ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0 [ 161.118596] Modules linked in: [ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138 [ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe mu.org 04/01/2014 [ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0 [ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6 05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33 [ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286 [ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a [ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827 [ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021 [ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8 [ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000 [ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0 [ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 161.141519] PKRU: 55555554 [ 161.142076] Call Trace: [ 161.142575] ? __warn+0x9b/0x140 [ 161.143229] ? nfserrno+0x9d/0xd0 [ 161.143872] ? report_bug+0x125/0x150 [ 161.144595] ? handle_bug+0x41/0x90 [ 161.145284] ? exc_invalid_op+0x14/0x70 [ 161.146009] ? asm_exc_invalid_op+0x12/0x20 [ 161.146816] ? nfserrno+0x9d/0xd0 [ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0 [ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380 [ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0 [ 161.150093] ? wait_for_concurrent_writes+0x170/0x170 [ 161.151004] ? generic_file_llseek_size+0x48/0x160 [ 161.151895] nfsd_readdir+0x132/0x190 [ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380 [ 161.153516] ? nfsd_unlink+0x380/0x380 [ 161.154256] ? override_creds+0x45/0x60 [ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0 [ 161.155850] ? nfsd4_encode_readlink+0x210/0x210 [ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0 [ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0 [ 161.158494] ? lock_downgrade+0x90/0x90 [ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10 [ 161.160092] nfsd4_encode_operation+0x15a/0x440 [ 161.160959] nfsd4_proc_compound+0x718/0xe90 [ 161.161818] nfsd_dispatch+0x18e/0x2c0 [ 161.162586] svc_process_common+0x786/0xc50 [ 161.163403] ? nfsd_svc+0x380/0x380 [ 161.164137] ? svc_printk+0x160/0x160 [ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380 [ 161.165808] ? nfsd_svc+0x380/0x380 [ 161.166523] ? rcu_is_watching+0x23/0x40 [ 161.167309] svc_process+0x1a5/0x200 [ 161.168019] nfsd+0x1f5/0x380 [ 161.168663] ? nfsd_shutdown_threads+0x260/0x260 [ 161.169554] kthread+0x1c4/0x210 [ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80 [ 161.171246] ret_from_fork+0x1f/0x30

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49875.html
CVE-2024-49875
https://bugzilla.suse.com/1232333
SUSE Bug 1232333

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if bh is NULL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49877.html
CVE-2024-49877
https://bugzilla.suse.com/1232339
SUSE Bug 1232339

Описание

In the Linux kernel, the following vulnerability has been resolved: drm: omapdrm: Add missing check for alloc_ordered_workqueue As it may return NULL pointer and cause NULL pointer dereference. Add check for the return value of alloc_ordered_workqueue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49879.html
CVE-2024-49879
https://bugzilla.suse.com/1232349
SUSE Bug 1232349

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: update orig_path in ext4_find_extent() In ext4_find_extent(), if the path is not big enough, we free it and set *orig_path to NULL. But after reallocating and successfully initializing the path, we don't update *orig_path, in which case the caller gets a valid path but a NULL ppath, and this may cause a NULL pointer dereference or a path memory leak. For example: ext4_split_extent path = *ppath = 2000 ext4_find_extent if (depth > path[0].p_maxdepth) kfree(path = 2000); *orig_path = path = NULL; path = kcalloc() = 3000 ext4_split_extent_at(*ppath = NULL) path = *ppath; ex = path[depth].p_ext; // NULL pointer dereference! ================================================================== BUG: kernel NULL pointer dereference, address: 0000000000000010 CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847 RIP: 0010:ext4_split_extent_at+0x6d/0x560 Call Trace: <TASK> ext4_split_extent.isra.0+0xcb/0x1b0 ext4_ext_convert_to_initialized+0x168/0x6c0 ext4_ext_handle_unwritten_extents+0x325/0x4d0 ext4_ext_map_blocks+0x520/0xdb0 ext4_map_blocks+0x2b0/0x690 ext4_iomap_begin+0x20e/0x2c0 [...] ================================================================== Therefore, *orig_path is updated when the extent lookup succeeds, so that the caller can safely use path or *ppath.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49881.html
CVE-2024-49881
https://bugzilla.suse.com/1232201
SUSE Bug 1232201

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix double brelse() the buffer of the extents path In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been released, otherwise it may be released twice. An example of what triggers this is as follows: split2 map split1 |--------|-------|--------| ext4_ext_map_blocks ext4_ext_handle_unwritten_extents ext4_split_convert_extents // path->p_depth == 0 ext4_split_extent // 1. do split1 ext4_split_extent_at |ext4_ext_insert_extent | ext4_ext_create_new_leaf | ext4_ext_grow_indepth | le16_add_cpu(&neh->eh_depth, 1) | ext4_find_extent | // return -ENOMEM |// get error and try zeroout |path = ext4_find_extent | path->p_depth = 1 |ext4_ext_try_to_merge | ext4_ext_try_to_merge_up | path->p_depth = 0 | brelse(path[1].p_bh) ---> not set to NULL here |// zeroout success // 2. update path ext4_find_extent // 3. do split2 ext4_split_extent_at ext4_ext_insert_extent ext4_ext_create_new_leaf ext4_ext_grow_indepth le16_add_cpu(&neh->eh_depth, 1) ext4_find_extent path[0].p_bh = NULL; path->p_depth = 1 read_extent_tree_block ---> return err // path[1].p_bh is still the old value ext4_free_ext_path ext4_ext_drop_refs // path->p_depth == 1 brelse(path[1].p_bh) ---> brelse a buffer twice Finally got the following WARRNING when removing the buffer from lru: ============================================ VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90 CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716 RIP: 0010:__brelse+0x58/0x90 Call Trace: <TASK> __find_get_block+0x6e7/0x810 bdev_getblk+0x2b/0x480 __ext4_get_inode_loc+0x48a/0x1240 ext4_get_inode_loc+0xb2/0x150 ext4_reserve_inode_write+0xb7/0x230 __ext4_mark_inode_dirty+0x144/0x6a0 ext4_ext_insert_extent+0x9c8/0x3230 ext4_ext_map_blocks+0xf45/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ============================================

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49882.html
CVE-2024-49882
https://bugzilla.suse.com/1232200
SUSE Bug 1232200

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: aovid use-after-free in ext4_ext_insert_extent() As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and cause UAF. Below is a sample trace with dummy values: ext4_ext_insert_extent path = *ppath = 2000 ext4_ext_create_new_leaf(ppath) ext4_find_extent(ppath) path = *ppath = 2000 if (depth > path[0].p_maxdepth) kfree(path = 2000); *ppath = path = NULL; path = kcalloc() = 3000 *ppath = 3000; return path; /* here path is still 2000, UAF! */ eh = path[depth].p_hdr ================================================================== BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330 Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179 CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866 Call Trace: <TASK> ext4_ext_insert_extent+0x26d4/0x3330 ext4_ext_map_blocks+0xe22/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 [...] Allocated by task 179: ext4_find_extent+0x81c/0x1f70 ext4_ext_map_blocks+0x146/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 ext4_writepages+0x26d/0x4e0 do_writepages+0x175/0x700 [...] Freed by task 179: kfree+0xcb/0x240 ext4_find_extent+0x7c0/0x1f70 ext4_ext_insert_extent+0xa26/0x3330 ext4_ext_map_blocks+0xe22/0x2d40 ext4_map_blocks+0x71e/0x1700 ext4_do_writepages+0x1290/0x2800 ext4_writepages+0x26d/0x4e0 do_writepages+0x175/0x700 [...] ================================================================== So use *ppath to update the path to avoid the above problem.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49883.html
CVE-2024-49883
https://bugzilla.suse.com/1232199
SUSE Bug 1232199

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix slab-use-after-free in ext4_split_extent_at() We hit the following use-after-free: ================================================================== BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0 Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40 CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724 Call Trace: <TASK> kasan_report+0x93/0xc0 ext4_split_extent_at+0xba8/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Allocated by task 40: __kmalloc_noprof+0x1ac/0x480 ext4_find_extent+0xf3b/0x1e70 ext4_ext_map_blocks+0x188/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] Freed by task 40: kfree+0xf1/0x2b0 ext4_find_extent+0xa71/0x1e70 ext4_ext_insert_extent+0xa22/0x3260 ext4_split_extent_at+0x3ef/0xcc0 ext4_split_extent.isra.0+0x18f/0x500 ext4_split_convert_extents+0x275/0x750 ext4_ext_handle_unwritten_extents+0x73e/0x1580 ext4_ext_map_blocks+0xe20/0x2dc0 ext4_map_blocks+0x724/0x1700 ext4_do_writepages+0x12d6/0x2a70 [...] ================================================================== The flow of issue triggering is as follows: ext4_split_extent_at path = *ppath ext4_ext_insert_extent(ppath) ext4_ext_create_new_leaf(ppath) ext4_find_extent(orig_path) path = *orig_path read_extent_tree_block // return -ENOMEM or -EIO ext4_free_ext_path(path) kfree(path) *orig_path = NULL a. If err is -ENOMEM: ext4_ext_dirty(path + path->p_depth) // path use-after-free !!! b. If err is -EIO and we have EXT_DEBUG defined: ext4_ext_show_leaf(path) eh = path[depth].p_hdr // path also use-after-free !!! So when trying to zeroout or fix the extent length, call ext4_find_extent() to update the path. In addition we use *ppath directly as an ext4_ext_show_leaf() input to avoid possible use-after-free when EXT_DEBUG is defined, and to avoid unnecessary path updates.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49884.html
CVE-2024-49884
https://bugzilla.suse.com/1225742
SUSE Bug 1225742
https://bugzilla.suse.com/1232198
SUSE Bug 1232198

Описание

In the Linux kernel, the following vulnerability has been resolved: platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds". kasan report: [ 19.411889] ================================================================== [ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113 [ 19.417368] [ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10 [ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022 [ 19.422687] Call Trace: [ 19.424091] <TASK> [ 19.425448] dump_stack_lvl+0x5d/0x80 [ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.428694] print_report+0x19d/0x52e [ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.433539] kasan_report+0xf0/0x170 [ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common] [ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10 [ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common] [ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common] [ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360 [ 19.444797] cpuhp_invoke_callback+0x221/0xec0 [ 19.446337] cpuhp_thread_fun+0x21b/0x610 [ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10 [ 19.449354] smpboot_thread_fn+0x2e7/0x6e0 [ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10 [ 19.452405] kthread+0x29c/0x350 [ 19.453817] ? __pfx_kthread+0x10/0x10 [ 19.455253] ret_from_fork+0x31/0x70 [ 19.456685] ? __pfx_kthread+0x10/0x10 [ 19.458114] ret_from_fork_asm+0x1a/0x30 [ 19.459573] </TASK> [ 19.460853] [ 19.462055] Allocated by task 1198: [ 19.463410] kasan_save_stack+0x30/0x50 [ 19.464788] kasan_save_track+0x14/0x30 [ 19.466139] __kasan_kmalloc+0xaa/0xb0 [ 19.467465] __kmalloc+0x1cd/0x470 [ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common] [ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr] [ 19.471670] do_one_initcall+0xa4/0x380 [ 19.472903] do_init_module+0x238/0x760 [ 19.474105] load_module+0x5239/0x6f00 [ 19.475285] init_module_from_file+0xd1/0x130 [ 19.476506] idempotent_init_module+0x23b/0x650 [ 19.477725] __x64_sys_finit_module+0xbe/0x130 [ 19.476506] idempotent_init_module+0x23b/0x650 [ 19.477725] __x64_sys_finit_module+0xbe/0x130 [ 19.478920] do_syscall_64+0x82/0x160 [ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 19.481292] [ 19.482205] The buggy address belongs to the object at ffff888829e65000 which belongs to the cache kmalloc-512 of size 512 [ 19.484818] The buggy address is located 0 bytes to the right of allocated 512-byte region [ffff888829e65000, ffff888829e65200) [ 19.487447] [ 19.488328] The buggy address belongs to the physical page: [ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60 [ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff) [ 19.493914] page_type: 0xffffffff() [ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001 [ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000 [ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001 [ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000 [ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff [ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000 [ 19.503784] page dumped because: k ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49886.html
CVE-2024-49886
https://bugzilla.suse.com/1232196
SUSE Bug 1232196

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: ensure the fw_info is not null before using it This resolves the dereference null return value warning reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49890.html
CVE-2024-49890
https://bugzilla.suse.com/1232217
SUSE Bug 1232217

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Validate hdwq pointers before dereferencing in reset/errata paths When the HBA is undergoing a reset or is handling an errata event, NULL ptr dereference crashes may occur in routines such as lpfc_sli_flush_io_rings(), lpfc_dev_loss_tmo_callbk(), or lpfc_abort_handler(). Add NULL ptr checks before dereferencing hdwq pointers that may have been freed due to operations colliding with a reset or errata event handler.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49891.html
CVE-2024-49891
https://bugzilla.suse.com/1232218
SUSE Bug 1232218

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Initialize get_bytes_per_element's default to 1 Variables, used as denominators and maybe not assigned to other values, should not be 0. bytes_per_element_y & bytes_per_element_c are initialized by get_bytes_per_element() which should never return 0. This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49892.html
CVE-2024-49892
https://bugzilla.suse.com/1232220
SUSE Bug 1232220

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in degamma hardware format translation Fixes index out of bounds issue in `cm_helper_translate_curve_to_degamma_hw_format` function. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49894.html
CVE-2024-49894
https://bugzilla.suse.com/1232354
SUSE Bug 1232354

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:338 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:339 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:340 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49895.html
CVE-2024-49895
https://bugzilla.suse.com/1232352
SUSE Bug 1232352

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check stream before comparing them [WHAT & HOW] amdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is necessary to check for null before dereferencing them. This fixes 1 FORWARD_NULL issue reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49896.html
CVE-2024-49896
https://bugzilla.suse.com/1232221
SUSE Bug 1232221

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check phantom_stream before it is used dcn32_enable_phantom_stream can return null, so returned value must be checked before used. This fixes 1 NULL_RETURNS issue reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49897.html
CVE-2024-49897
https://bugzilla.suse.com/1232355
SUSE Bug 1232355

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Initialize denominators' default to 1 [WHAT & HOW] Variables used as denominators and maybe not assigned to other values, should not be 0. Change their default to 1 so they are never 0. This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49899.html
CVE-2024-49899
https://bugzilla.suse.com/1232358
SUSE Bug 1232358

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uninit-value access of new_ea in ea_buffer syzbot reports that lzo1x_1_do_compress is using uninit-value: ===================================================== BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178 ... Uninit was stored to memory at: ea_put fs/jfs/xattr.c:639 [inline] ... Local variable ea_buf created at: __jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662 __jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934 ===================================================== The reason is ea_buf->new_ea is not initialized properly. Fix this by using memset to empty its content at the beginning in ea_get().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49900.html
CVE-2024-49900
https://bugzilla.suse.com/1232359
SUSE Bug 1232359

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs There are some cases, such as the one uncovered by Commit 46d4efcccc68 ("drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails") where msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL); is called on gpu->pdev == NULL, as the GPU device has not been fully initialized yet. Turns out that there's more than just the aforementioned path that causes this to happen (e.g. the case when there's speedbin data in the catalog, but opp-supported-hw is missing in DT). Assigning msm_gpu->pdev earlier seems like the least painful solution to this, therefore do so. Patchwork: https://patchwork.freedesktop.org/patch/602742/

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49901.html
CVE-2024-49901
https://bugzilla.suse.com/1232305
SUSE Bug 1232305

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: check if leafidx greater than num leaves per dmap tree syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf. Shaggy: Modified sanity check to apply to control pages as well as leaf pages.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49902.html
CVE-2024-49902
https://bugzilla.suse.com/1232378
SUSE Bug 1232378
https://bugzilla.suse.com/1232379
SUSE Bug 1232379

Описание

In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uaf in dbFreeBits [syzbot reported] ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __mutex_lock_common kernel/locking/mutex.c:587 [inline] __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Freed by task 5218: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x149/0x360 mm/slub.c:4594 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 reconfigure_super+0x445/0x880 fs/super.c:1083 vfs_cmd_reconfigure fs/fsopen.c:263 [inline] vfs_fsconfig_locked fs/fsopen.c:292 [inline] __do_sys_fsconfig fs/fsopen.c:473 [inline] __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Analysis] There are two paths (dbUnmount and jfs_ioc_trim) that generate race condition when accessing bmap, which leads to the occurrence of uaf. Use the lock s_umount to synchronize them, in order to avoid uaf caused by race condition.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49903.html
CVE-2024-49903
https://bugzilla.suse.com/1232362
SUSE Bug 1232362
https://bugzilla.suse.com/1233020
SUSE Bug 1233020

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2) This commit adds a null check for the 'afb' variable in the amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was assumed to be null, but was used later in the code without a null check. This could potentially lead to a null pointer dereference. Changes since v1: - Moved the null check for 'afb' to the line where 'afb' is used. (Alex) Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49905.html
CVE-2024-49905
https://bugzilla.suse.com/1232357
SUSE Bug 1232357

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointer before try to access it [why & how] Change the order of the pipe_ctx->plane_state check to ensure that plane_state is not null before accessing it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49906.html
CVE-2024-49906
https://bugzilla.suse.com/1232332
SUSE Bug 1232332

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointers before using dc->clk_mgr [WHY & HOW] dc->clk_mgr is null checked previously in the same function, indicating it might be null. Passing "dc" to "dc->hwss.apply_idle_power_optimizations", which dereferences null "dc->clk_mgr". (The function pointer resolves to "dcn35_apply_idle_power_optimizations".) This fixes 1 FORWARD_NULL issue reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49907.html
CVE-2024-49907
https://bugzilla.suse.com/1232334
SUSE Bug 1232334

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for 'afb' in amdgpu_dm_update_cursor (v2) This commit adds a null check for the 'afb' variable in the amdgpu_dm_update_cursor function. Previously, 'afb' was assumed to be null at line 8388, but was used later in the code without a null check. This could potentially lead to a null pointer dereference. Changes since v1: - Moved the null check for 'afb' to the line where 'afb' is used. (Alex) Fixes the below: drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:8433 amdgpu_dm_update_cursor() error: we previously assumed 'afb' could be null (see line 8388)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49908.html
CVE-2024-49908
https://bugzilla.suse.com/1232335
SUSE Bug 1232335

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL check for function pointer in dcn32_set_output_transfer_func This commit adds a null check for the set_output_gamma function pointer in the dcn32_set_output_transfer_func function. Previously, set_output_gamma was being checked for null, but then it was being dereferenced without any null check. This could lead to a null pointer dereference if set_output_gamma is null. To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a null check for set_output_gamma before the call to set_output_gamma.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49909.html
CVE-2024-49909
https://bugzilla.suse.com/1232337
SUSE Bug 1232337

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL check for function pointer in dcn20_set_output_transfer_func This commit adds a null check for the set_output_gamma function pointer in the dcn20_set_output_transfer_func function. Previously, set_output_gamma was being checked for null at line 1030, but then it was being dereferenced without any null check at line 1048. This could potentially lead to a null pointer dereference error if set_output_gamma is null. To fix this, we now ensure that set_output_gamma is not null before dereferencing it. We do this by adding a null check for set_output_gamma before the call to set_output_gamma at line 1048.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49911.html
CVE-2024-49911
https://bugzilla.suse.com/1232366
SUSE Bug 1232366

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream' This commit adds a null check for 'stream_status' in the function 'planes_changed_for_existing_stream'. Previously, the code assumed 'stream_status' could be null, but did not handle the case where it was actually null. This could lead to a null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_resource.c:3784 planes_changed_for_existing_stream() error: we previously assumed 'stream_status' could be null (see line 3774)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49912.html
CVE-2024-49912
https://bugzilla.suse.com/1232367
SUSE Bug 1232367

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream This commit addresses a null pointer dereference issue in the `commit_planes_for_stream` function at line 4140. The issue could occur when `top_pipe_to_program` is null. The fix adds a check to ensure `top_pipe_to_program` is not null before accessing its stream_res. This prevents a null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:4140 commit_planes_for_stream() error: we previously assumed 'top_pipe_to_program' could be null (see line 3906)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49913.html
CVE-2024-49913
https://bugzilla.suse.com/1232307
SUSE Bug 1232307

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for pipe_ctx->plane_state in dcn20_program_pipe This commit addresses a null pointer dereference issue in the `dcn20_program_pipe` function. The issue could occur when `pipe_ctx->plane_state` is null. The fix adds a check to ensure `pipe_ctx->plane_state` is not null before accessing. This prevents a null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn20/dcn20_hwseq.c:1925 dcn20_program_pipe() error: we previously assumed 'pipe_ctx->plane_state' could be null (see line 1877)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49914.html
CVE-2024-49914
https://bugzilla.suse.com/1232369
SUSE Bug 1232369

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL check for clk_mgr and clk_mgr->funcs in dcn30_init_hw This commit addresses a potential null pointer dereference issue in the `dcn30_init_hw` function. The issue could occur when `dc->clk_mgr` or `dc->clk_mgr->funcs` is null. The fix adds a check to ensure `dc->clk_mgr` and `dc->clk_mgr->funcs` is not null before accessing its functions. This prevents a potential null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/hwss/dcn30/dcn30_hwseq.c:789 dcn30_init_hw() error: we previously assumed 'dc->clk_mgr' could be null (see line 628)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49917.html
CVE-2024-49917
https://bugzilla.suse.com/1231965
SUSE Bug 1231965

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for head_pipe in dcn32_acquire_idle_pipe_for_head_pipe_in_layer This commit addresses a potential null pointer dereference issue in the `dcn32_acquire_idle_pipe_for_head_pipe_in_layer` function. The issue could occur when `head_pipe` is null. The fix adds a check to ensure `head_pipe` is not null before asserting it. If `head_pipe` is null, the function returns NULL to prevent a potential null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn32/dcn32_resource.c:2690 dcn32_acquire_idle_pipe_for_head_pipe_in_layer() error: we previously assumed 'head_pipe' could be null (see line 2681)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49918.html
CVE-2024-49918
https://bugzilla.suse.com/1231967
SUSE Bug 1231967

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer This commit addresses a potential null pointer dereference issue in the `dcn201_acquire_free_pipe_for_layer` function. The issue could occur when `head_pipe` is null. The fix adds a check to ensure `head_pipe` is not null before asserting it. If `head_pipe` is null, the function returns NULL to prevent a potential null pointer dereference. Reported by smatch: drivers/gpu/drm/amd/amdgpu/../display/dc/resource/dcn201/dcn201_resource.c:1016 dcn201_acquire_free_pipe_for_layer() error: we previously assumed 'head_pipe' could be null (see line 1010)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49919.html
CVE-2024-49919
https://bugzilla.suse.com/1231968
SUSE Bug 1231968

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointers before multiple uses [WHAT & HOW] Poniters, such as stream_enc and dc->bw_vbios, are null checked previously in the same function, so Coverity warns "implies that stream_enc and dc->bw_vbios might be null". They are used multiple times in the subsequent code and need to be checked. This fixes 10 FORWARD_NULL issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49920.html
CVE-2024-49920
https://bugzilla.suse.com/1232313
SUSE Bug 1232313

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointers before used [WHAT & HOW] Poniters, such as dc->clk_mgr, are null checked previously in the same function, so Coverity warns "implies that "dc->clk_mgr" might be null". As a result, these pointers need to be checked when used again. This fixes 10 FORWARD_NULL issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49921.html
CVE-2024-49921
https://bugzilla.suse.com/1232371
SUSE Bug 1232371

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointers before using them [WHAT & HOW] These pointers are null checked previously in the same function, indicating they might be null as reported by Coverity. As a result, they need to be checked when used again. This fixes 3 FORWARD_NULL issue reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49922.html
CVE-2024-49922
https://bugzilla.suse.com/1232374
SUSE Bug 1232374

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Pass non-null to dcn20_validate_apply_pipe_split_flags [WHAT & HOW] "dcn20_validate_apply_pipe_split_flags" dereferences merge, and thus it cannot be a null pointer. Let's pass a valid pointer to avoid null dereference. This fixes 2 FORWARD_NULL issues reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49923.html
CVE-2024-49923
https://bugzilla.suse.com/1232361
SUSE Bug 1232361

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: pxafb: Fix possible use after free in pxafb_task() In the pxafb_probe function, it calls the pxafb_init_fbinfo function, after which &fbi->task is associated with pxafb_task. Moreover, within this pxafb_init_fbinfo function, the pxafb_blank function within the &pxafb_ops struct is capable of scheduling work. If we remove the module which will call pxafb_remove to make cleanup, it will call unregister_framebuffer function which can call do_unregister_framebuffer to free fbi->fb through put_fb_info(fb_info), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | pxafb_task pxafb_remove | unregister_framebuffer(info) | do_unregister_framebuffer(fb_info) | put_fb_info(fb_info) | // free fbi->fb | set_ctrlr_state(fbi, state) | __pxafb_lcd_power(fbi, 0) | fbi->lcd_power(on, &fbi->fb.var) | //use fbi->fb Fix it by ensuring that the work is canceled before proceeding with the cleanup in pxafb_remove. Note that only root user can remove the driver at runtime.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49924.html
CVE-2024-49924
https://bugzilla.suse.com/1232364
SUSE Bug 1232364

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: efifb: Register sysfs groups through driver core The driver core can register and cleanup sysfs groups already. Make use of that functionality to simplify the error handling and cleanup. Also avoid a UAF race during unregistering where the sysctl attributes were usable after the info struct was freed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49925.html
CVE-2024-49925
https://bugzilla.suse.com/1232224
SUSE Bug 1232224
https://bugzilla.suse.com/1232225
SUSE Bug 1232225

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: avoid NULL pointer dereference iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta pointer is not NULL. It retrieves this pointer using iwl_mvm_sta_from_mac80211, which is dereferencing the ieee80211_sta pointer. If sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL pointer. Fix this by checking the sta pointer before retrieving the mvmsta from it. If sta is not NULL, then mvmsta isn't either.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49929.html
CVE-2024-49929
https://bugzilla.suse.com/1232253
SUSE Bug 1232253

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix array out-of-bound access in SoC stats Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx() function access ath11k_soc_dp_stats::hal_reo_error using the REO destination SRNG ring ID, which is incorrect. SRNG ring ID differ from normal ring ID, and this usage leads to out-of-bounds array access. To fix this issue, modify ath11k_dp_process_rx() to use the normal ring ID directly instead of the SRNG ring ID to avoid out-of-bounds array access. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49930.html
CVE-2024-49930
https://bugzilla.suse.com/1232260
SUSE Bug 1232260
https://bugzilla.suse.com/1232261
SUSE Bug 1232261

Описание

In the Linux kernel, the following vulnerability has been resolved: blk_iocost: fix more out of bound shifts Recently running UBSAN caught few out of bound shifts in the ioc_forgive_debts() function: UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30 shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long long') ... Call Trace: <IRQ> dump_stack_lvl+0xca/0x130 __ubsan_handle_shift_out_of_bounds+0x22c/0x280 ? __lock_acquire+0x6441/0x7c10 ioc_timer_fn+0x6cec/0x7750 ? blk_iocost_init+0x720/0x720 ? call_timer_fn+0x5d/0x470 call_timer_fn+0xfa/0x470 ? blk_iocost_init+0x720/0x720 __run_timer_base+0x519/0x700 ... Actual impact of this issue was not identified but I propose to fix the undefined behaviour. The proposed fix to prevent those out of bound shifts consist of precalculating exponent before using it the shift operations by taking min value from the actual exponent and maximum possible number of bits.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49933.html
CVE-2024-49933
https://bugzilla.suse.com/1232368
SUSE Bug 1232368

Описание

In the Linux kernel, the following vulnerability has been resolved: fs/inode: Prevent dump_mapping() accessing invalid dentry.d_name.name It's observed that a crash occurs during hot-remove a memory device, in which user is accessing the hugetlb. See calltrace as following: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 14045 at arch/x86/mm/fault.c:1278 do_user_addr_fault+0x2a0/0x790 Modules linked in: kmem device_dax cxl_mem cxl_pmem cxl_port cxl_pci dax_hmem dax_pmem nd_pmem cxl_acpi nd_btt cxl_core crc32c_intel nvme virtiofs fuse nvme_core nfit libnvdimm dm_multipath scsi_dh_rdac scsi_dh_emc s mirror dm_region_hash dm_log dm_mod CPU: 1 PID: 14045 Comm: daxctl Not tainted 6.10.0-rc2-lizhijian+ #492 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:do_user_addr_fault+0x2a0/0x790 Code: 48 8b 00 a8 04 0f 84 b5 fe ff ff e9 1c ff ff ff 4c 89 e9 4c 89 e2 be 01 00 00 00 bf 02 00 00 00 e8 b5 ef 24 00 e9 42 fe ff ff <0f> 0b 48 83 c4 08 4c 89 ea 48 89 ee 4c 89 e7 5b 5d 41 5c 41 5d 41 RSP: 0000:ffffc90000a575f0 EFLAGS: 00010046 RAX: ffff88800c303600 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000001000 RSI: ffffffff82504162 RDI: ffffffff824b2c36 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a57658 R13: 0000000000001000 R14: ffff88800bc2e040 R15: 0000000000000000 FS: 00007f51cb57d880(0000) GS:ffff88807fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001000 CR3: 00000000072e2004 CR4: 00000000001706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __warn+0x8d/0x190 ? do_user_addr_fault+0x2a0/0x790 ? report_bug+0x1c3/0x1d0 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x14/0x70 ? asm_exc_invalid_op+0x16/0x20 ? do_user_addr_fault+0x2a0/0x790 ? exc_page_fault+0x31/0x200 exc_page_fault+0x68/0x200 <...snip...> BUG: unable to handle page fault for address: 0000000000001000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI ---[ end trace 0000000000000000 ]--- BUG: unable to handle page fault for address: 0000000000001000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 800000000ad92067 P4D 800000000ad92067 PUD 7677067 PMD 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 14045 Comm: daxctl Kdump: loaded Tainted: G W 6.10.0-rc2-lizhijian+ #492 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:dentry_name+0x1f4/0x440 <...snip...> ? dentry_name+0x2fa/0x440 vsnprintf+0x1f3/0x4f0 vprintk_store+0x23a/0x540 vprintk_emit+0x6d/0x330 _printk+0x58/0x80 dump_mapping+0x10b/0x1a0 ? __pfx_free_object_rcu+0x10/0x10 __dump_page+0x26b/0x3e0 ? vprintk_emit+0xe0/0x330 ? _printk+0x58/0x80 ? dump_page+0x17/0x50 dump_page+0x17/0x50 do_migrate_range+0x2f7/0x7f0 ? do_migrate_range+0x42/0x7f0 ? offline_pages+0x2f4/0x8c0 offline_pages+0x60a/0x8c0 memory_subsys_offline+0x9f/0x1c0 ? lockdep_hardirqs_on+0x77/0x100 ? _raw_spin_unlock_irqrestore+0x38/0x60 device_offline+0xe3/0x110 state_store+0x6e/0xc0 kernfs_fop_write_iter+0x143/0x200 vfs_write+0x39f/0x560 ksys_write+0x65/0xf0 do_syscall_64+0x62/0x130 Previously, some sanity check have been done in dump_mapping() before the print facility parsing '%pd' though, it's still possible to run into an invalid dentry.d_name.name. Since dump_mapping() only needs to dump the filename only, retrieve it by itself in a safer way to prevent an unnecessary crash. Note that either retrieving the filename with '%pd' or strncpy_from_kernel_nofault(), the filename could be unreliable.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49934.html
CVE-2024-49934
https://bugzilla.suse.com/1232387
SUSE Bug 1232387

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: PAD: fix crash in exit_round_robin() The kernel occasionally crashes in cpumask_clear_cpu(), which is called within exit_round_robin(), because when executing clear_bit(nr, addr) with nr set to 0xffffffff, the address calculation may cause misalignment within the memory, leading to access to an invalid memory address. ---------- BUG: unable to handle kernel paging request at ffffffffe0740618 ... CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1 ... RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad] Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31 RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202 RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246 RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: ? acpi_pad_add+0x120/0x120 [acpi_pad] kthread+0x10b/0x130 ? set_kthread_struct+0x50/0x50 ret_from_fork+0x1f/0x40 ... CR2: ffffffffe0740618 crash> dis -lr ffffffffc0726923 ... /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114 0xffffffffc0726918 <power_saving_thread+776>: mov %r12d,%r12d /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325 0xffffffffc072691b <power_saving_thread+779>: mov -0x3f8d7de0(,%r12,4),%eax /usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80 0xffffffffc0726923 <power_saving_thread+787>: lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 <pad_busy_cpus_bits> crash> px tsk_in_cpu[14] $66 = 0xffffffff crash> px 0xffffffffc072692c+0x19cf4 $99 = 0xffffffffc0740620 crash> sym 0xffffffffc0740620 ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad] crash> px pad_busy_cpus_bits[0] $42 = 0xfffc0 ---------- To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling cpumask_clear_cpu() in exit_round_robin(), just as it is done in round_robin_cpu(). [ rjw: Subject edit, avoid updates to the same value ]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49935.html
CVE-2024-49935
https://bugzilla.suse.com/1232370
SUSE Bug 1232370

Описание

In the Linux kernel, the following vulnerability has been resolved: net/xen-netback: prevent UAF in xenvif_flush_hash() During the list_for_each_entry_rcu iteration call of xenvif_flush_hash, kfree_rcu does not exist inside the rcu read critical section, so if kfree_rcu is called when the rcu grace period ends during the iteration, UAF occurs when accessing head->next after the entry becomes free. Therefore, to solve this, you need to change it to list_for_each_entry_safe.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49936.html
CVE-2024-49936
https://bugzilla.suse.com/1232424
SUSE Bug 1232424
https://bugzilla.suse.com/1232426
SUSE Bug 1232426

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Syzbot points out that skb_trim() has a sanity check on the existing length of the skb, which can be uninitialised in some error paths. The intent here is clearly just to reset the length to zero before resubmitting, so switch to calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length() already contains a call to skb_reset_tail_pointer(), so remove the redundant call. The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49938.html
CVE-2024-49938
https://bugzilla.suse.com/1232552
SUSE Bug 1232552

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid to add interface to list twice when SER If SER L2 occurs during the WoWLAN resume flow, the add interface flow is triggered by ieee80211_reconfig(). However, due to rtw89_wow_resume() return failure, it will cause the add interface flow to be executed again, resulting in a double add list and causing a kernel panic. Therefore, we have added a check to prevent double adding of the list. list_add double add: new=ffff99d6992e2010, prev=ffff99d6992e2010, next=ffff99d695302628. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:37! invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W O 6.6.30-02659-gc18865c4dfbd #1 770df2933251a0e3c888ba69d1053a817a6376a7 Hardware name: HP Grunt/Grunt, BIOS Google_Grunt.11031.169.0 06/24/2021 Workqueue: events_freezable ieee80211_restart_work [mac80211] RIP: 0010:__list_add_valid_or_report+0x5e/0xb0 Code: c7 74 18 48 39 ce 74 13 b0 01 59 5a 5e 5f 41 58 41 59 41 5a 5d e9 e2 d6 03 00 cc 48 c7 c7 8d 4f 17 83 48 89 c2 e8 02 c0 00 00 <0f> 0b 48 c7 c7 aa 8c 1c 83 e8 f4 bf 00 00 0f 0b 48 c7 c7 c8 bc 12 RSP: 0018:ffffa91b8007bc50 EFLAGS: 00010246 RAX: 0000000000000058 RBX: ffff99d6992e0900 RCX: a014d76c70ef3900 RDX: ffffa91b8007bae8 RSI: 00000000ffffdfff RDI: 0000000000000001 RBP: ffffa91b8007bc88 R08: 0000000000000000 R09: ffffa91b8007bae0 R10: 00000000ffffdfff R11: ffffffff83a79800 R12: ffff99d695302060 R13: ffff99d695300900 R14: ffff99d6992e1be0 R15: ffff99d6992e2010 FS: 0000000000000000(0000) GS:ffff99d6aac00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000078fbdba43480 CR3: 000000010e464000 CR4: 00000000001506f0 Call Trace: <TASK> ? __die_body+0x1f/0x70 ? die+0x3d/0x60 ? do_trap+0xa4/0x110 ? __list_add_valid_or_report+0x5e/0xb0 ? do_error_trap+0x6d/0x90 ? __list_add_valid_or_report+0x5e/0xb0 ? handle_invalid_op+0x30/0x40 ? __list_add_valid_or_report+0x5e/0xb0 ? exc_invalid_op+0x3c/0x50 ? asm_exc_invalid_op+0x16/0x20 ? __list_add_valid_or_report+0x5e/0xb0 rtw89_ops_add_interface+0x309/0x310 [rtw89_core 7c32b1ee6854761c0321027c8a58c5160e41f48f] drv_add_interface+0x5c/0x130 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc] ieee80211_reconfig+0x241/0x13d0 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc] ? finish_wait+0x3e/0x90 ? synchronize_rcu_expedited+0x174/0x260 ? sync_rcu_exp_done_unlocked+0x50/0x50 ? wake_bit_function+0x40/0x40 ieee80211_restart_work+0xf0/0x140 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc] process_scheduled_works+0x1e5/0x480 worker_thread+0xea/0x1e0 kthread+0xdb/0x110 ? move_linked_works+0x90/0x90 ? kthread_associate_blkcg+0xa0/0xa0 ret_from_fork+0x3b/0x50 ? kthread_associate_blkcg+0xa0/0xa0 ret_from_fork_asm+0x11/0x20 </TASK> Modules linked in: dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc rfcomm cmac uinput algif_hash algif_skcipher af_alg btusb btrtl iio_trig_hrtimer industrialio_sw_trigger btmtk industrialio_configfs btbcm btintel uvcvideo videobuf2_vmalloc iio_trig_sysfs videobuf2_memops videobuf2_v4l2 videobuf2_common uvc snd_hda_codec_hdmi veth snd_hda_intel snd_intel_dspcfg acpi_als snd_hda_codec industrialio_triggered_buffer kfifo_buf snd_hwdep industrialio i2c_piix4 snd_hda_core designware_i2s ip6table_nat snd_soc_max98357a xt_MASQUERADE xt_cgroup snd_soc_acp_rt5682_mach fuse rtw89_8922ae(O) rtw89_8922a(O) rtw89_pci(O) rtw89_core(O) 8021q mac80211(O) bluetooth ecdh_generic ecc cfg80211 r8152 mii joydev gsmi: Log Shutdown Reason 0x03 ---[ end trace 0000000000000000 ]---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49939.html
CVE-2024-49939
https://bugzilla.suse.com/1232381
SUSE Bug 1232381

Описание

In the Linux kernel, the following vulnerability has been resolved: net/ncsi: Disable the ncsi work before freeing the associated structure The work function can run after the ncsi device is freed, resulting in use-after-free bugs or kernel panic.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49945.html
CVE-2024-49945
https://bugzilla.suse.com/1232165
SUSE Bug 1232165

Описание

In the Linux kernel, the following vulnerability has been resolved: ppp: do not assume bh is held in ppp_channel_bridge_input() Networking receive path is usually handled from BH handler. However, some protocols need to acquire the socket lock, and packets might be stored in the socket backlog is the socket was owned by a user process. In this case, release_sock(), __release_sock(), and sk_backlog_rcv() might call the sk->sk_backlog_rcv() handler in process context. sybot caught ppp was not considering this case in ppp_channel_bridge_input() : WARNING: inconsistent lock state 6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted -------------------------------- inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes: ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline] ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 {SOFTIRQ-ON-W} state was registered at: lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:351 [inline] ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline] ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304 pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv include/net/sock.h:1111 [inline] __release_sock+0x1a8/0x3d8 net/core/sock.c:3004 release_sock+0x68/0x1b8 net/core/sock.c:3558 pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg net/socket.c:745 [inline] __sys_sendto+0x374/0x4f4 net/socket.c:2204 __do_sys_sendto net/socket.c:2216 [inline] __se_sys_sendto net/socket.c:2212 [inline] __arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598 irq event stamp: 282914 hardirqs last enabled at (282914): [<ffff80008b42e30c>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline] hardirqs last enabled at (282914): [<ffff80008b42e30c>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194 hardirqs last disabled at (282913): [<ffff80008b42e13c>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (282913): [<ffff80008b42e13c>] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162 softirqs last enabled at (282904): [<ffff8000801f8e88>] softirq_handle_end kernel/softirq.c:400 [inline] softirqs last enabled at (282904): [<ffff8000801f8e88>] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582 softirqs last disabled at (282909): [<ffff8000801fbdf8>] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&pch->downl); <Interrupt> lock(&pch->downl); *** DEADLOCK *** 1 lock held by ksoftirqd/1/24: #0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325 stack backtrace: CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326 __dump_sta ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49946.html
CVE-2024-49946
https://bugzilla.suse.com/1232164
SUSE Bug 1232164

Описание

In the Linux kernel, the following vulnerability has been resolved: net: test for not too small csum_start in virtio_net_hdr_to_skb() syzbot was able to trigger this warning [1], after injecting a malicious packet through af_packet, setting skb->csum_start and thus the transport header to an incorrect value. We can at least make sure the transport header is after the end of the network header (with a estimated minimal size). [1] [ 67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0 mac=(-1,-1) mac_len=0 net=(16,-6) trans=10 shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0)) csum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0) hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0 priority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0 encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0) [ 67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9 [ 67.877764] sk family=17 type=3 proto=0 [ 67.878279] skb linear: 00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00 [ 67.879128] skb frag: 00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02 [ 67.879877] skb frag: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.880647] skb frag: 00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00 [ 67.881156] skb frag: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.881753] skb frag: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.882173] skb frag: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.882790] skb frag: 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.883171] skb frag: 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.883733] skb frag: 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.884206] skb frag: 00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e [ 67.884704] skb frag: 000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00 [ 67.885139] skb frag: 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.885677] skb frag: 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.886042] skb frag: 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.886408] skb frag: 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.887020] skb frag: 000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 67.887384] skb frag: 00000100: 00 00 [ 67.887878] ------------[ cut here ]------------ [ 67.887908] offset (-6) >= skb_headlen() (14) [ 67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) [ 67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs [ 67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011 [ 67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) [ 67.891043] Call Trace: [ 67.891173] <TASK> [ 67.891274] ? __warn (kernel/panic.c:741) [ 67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) [ 67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219) [ 67.891348] ? handle_bug (arch/x86/kernel/traps.c:239) [ 67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1)) [ 67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621) [ 67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) [ 67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2)) [ 67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1)) [ 67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 ne ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49947.html
CVE-2024-49947
https://bugzilla.suse.com/1232162
SUSE Bug 1232162

Описание

In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO After commit 7c6d2ecbda83 ("net: be more gentle about silly gso requests coming from user") virtio_net_hdr_to_skb() had sanity check to detect malicious attempts from user space to cook a bad GSO packet. Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO") while fixing one issue, allowed user space to cook a GSO packet with the following characteristic : IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28. When this packet arrives in qdisc_pkt_len_init(), we end up with hdr_len = 28 (IPv4 header + UDP header), matching skb->len Then the following sets gso_segs to 0 : gso_segs = DIV_ROUND_UP(skb->len - hdr_len, shinfo->gso_size); Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/ qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len; This leads to the following crash in fq_codel [1] qdisc_pkt_len_init() is best effort, we only want an estimation of the bytes sent on the wire, not crashing the kernel. This patch is fixing this particular issue, a following one adds more sanity checks for another potential bug. [1] [ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 70.724561] #PF: supervisor read access in kernel mode [ 70.724561] #PF: error_code(0x0000) - not-present page [ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0 [ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI [ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991 [ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49 All code ======== 0: 24 08 and $0x8,%al 2: 49 c1 e1 06 shl $0x6,%r9 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp) b: 45 31 ed xor %r13d,%r13d e: 45 31 c0 xor %r8d,%r8d 11: 31 ff xor %edi,%edi 13: 89 44 24 14 mov %eax,0x14(%rsp) 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9 1e: eb 04 jmp 0x24 20: 39 ca cmp %ecx,%edx 22: 73 37 jae 0x5b 24: 4d 8b 39 mov (%r9),%r15 27: 83 c7 01 add $0x1,%edi 2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction 2d: 49 89 11 mov %rdx,(%r9) 30: 41 8b 57 28 mov 0x28(%r15),%edx 34: 45 8b 5f 34 mov 0x34(%r15),%r11d 38: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 3f: 49 rex.WB Code starting with the faulting instruction =========================================== 0: 49 8b 17 mov (%r15),%rdx 3: 49 89 11 mov %rdx,(%r9) 6: 41 8b 57 28 mov 0x28(%r15),%edx a: 45 8b 5f 34 mov 0x34(%r15),%r11d e: 49 c7 07 00 00 00 00 movq $0x0,(%r15) 15: 49 rex.WB [ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202 [ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000 [ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001 [ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000 [ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58 [ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000 [ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000 [ 70.724561] CS: 0010 DS: 0000 ES: 0000 C ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49949.html
CVE-2024-49949
https://bugzilla.suse.com/1232160
SUSE Bug 1232160

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix uaf in l2cap_connect [Syzbot reported] BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54 CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: hci2 hci_rx_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949 l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline] l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline] l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline] l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825 l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514 hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline] hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 ... Freed by task 5245: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579 poison_slab_object+0xf7/0x160 mm/kasan/common.c:240 __kasan_slab_free+0x32/0x50 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2256 [inline] slab_free mm/slub.c:4477 [inline] kfree+0x12a/0x3b0 mm/slub.c:4598 l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline] kref_put include/linux/kref.h:65 [inline] l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline] l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802 l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241 hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline] hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265 hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583 abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917 hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49950.html
CVE-2024-49950
https://bugzilla.suse.com/1225742
SUSE Bug 1225742
https://bugzilla.suse.com/1232159
SUSE Bug 1232159

Описание

In the Linux kernel, the following vulnerability has been resolved: static_call: Replace pointless WARN_ON() in static_call_module_notify() static_call_module_notify() triggers a WARN_ON(), when memory allocation fails in __static_call_add_module(). That's not really justified, because the failure case must be correctly handled by the well known call chain and the error code is passed through to the initiating userspace application. A memory allocation fail is not a fatal problem, but the WARN_ON() takes the machine out when panic_on_warn is set. Replace it with a pr_warn().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49954.html
CVE-2024-49954
https://bugzilla.suse.com/1232155
SUSE Bug 1232155

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: battery: Fix possible crash when unregistering a battery hook When a battery hook returns an error when adding a new battery, then the battery hook is automatically unregistered. However the battery hook provider cannot know that, so it will later call battery_hook_unregister() on the already unregistered battery hook, resulting in a crash. Fix this by using the list head to mark already unregistered battery hooks as already being unregistered so that they can be ignored by battery_hook_unregister().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49955.html
CVE-2024-49955
https://bugzilla.suse.com/1232154
SUSE Bug 1232154

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix null-ptr-deref when journal load failed. During the mounting process, if journal_reset() fails because of too short journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer. Subsequently, ocfs2_journal_shutdown() calls jbd2_journal_flush()->jbd2_cleanup_journal_tail()-> __jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail() ->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer dereference error. To resolve this issue, we should check the JBD2_LOADED flag to ensure the journal was properly loaded. Additionally, use journal instead of osb->journal directly to simplify the code.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49957.html
CVE-2024-49957
https://bugzilla.suse.com/1232152
SUSE Bug 1232152

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: reserve space for inline xattr before attaching reflink tree One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case up to 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49958.html
CVE-2024-49958
https://bugzilla.suse.com/1232151
SUSE Bug 1232151

Описание

In the Linux kernel, the following vulnerability has been resolved: jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail() to recover some journal space. But if an error occurs while executing jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free space right away, we try other branches, and if j_committing_transaction is NULL (i.e., the tid is 0), we will get the following complain: ============================================ JBD2: I/O error when updating journal superblock for sdd-8. __jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available __jbd2_log_wait_for_space: no way to get more journal space in sdd-8 ------------[ cut here ]------------ WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0 Modules linked in: CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1 RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0 Call Trace: <TASK> add_transaction_credits+0x5d1/0x5e0 start_this_handle+0x1ef/0x6a0 jbd2__journal_start+0x18b/0x340 ext4_dirty_inode+0x5d/0xb0 __mark_inode_dirty+0xe4/0x5d0 generic_update_time+0x60/0x70 [...] ============================================ So only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to clean up at the moment, continue to try to reclaim free space in other ways. Note that this fix relies on commit 6f6a6fda2945 ("jbd2: fix ocfs2 corrupt when updating journal superblock fails") to make jbd2_cleanup_journal_tail return the correct error code.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49959.html
CVE-2024-49959
https://bugzilla.suse.com/1232149
SUSE Bug 1232149

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix timer use-after-free on failed mount Syzbot has found an ODEBUG bug in ext4_fill_super The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi). When filesystem mounting fails, the flow goes to failed_mount3, where an error occurs when ext4_stop_mmpd is called, causing a read I/O failure. This triggers the ext4_handle_error function that ultimately re-arms the timer, leaving the s_err_report timer active before kfree(sbi) is called. Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49960.html
CVE-2024-49960
https://bugzilla.suse.com/1232395
SUSE Bug 1232395
https://bugzilla.suse.com/1232803
SUSE Bug 1232803

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0 ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause NULL pointer dereference later. [ rjw: Subject and changelog edits ]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49962.html
CVE-2024-49962
https://bugzilla.suse.com/1232314
SUSE Bug 1232314

Описание

In the Linux kernel, the following vulnerability has been resolved: mailbox: bcm2835: Fix timeout during suspend mode During noirq suspend phase the Raspberry Pi power driver suffer of firmware property timeouts. The reason is that the IRQ of the underlying BCM2835 mailbox is disabled and rpi_firmware_property_list() will always run into a timeout [1]. Since the VideoCore side isn't consider as a wakeup source, set the IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled during suspend-resume cycle. [1] PM: late suspend of devices complete after 1.754 msecs WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128 rpi_firmware_property_list+0x204/0x22c Firmware transaction 0x00028001 timeout Modules linked in: CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17 Hardware name: BCM2835 Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x34/0x44 dump_stack_lvl from __warn+0x88/0xec __warn from warn_slowpath_fmt+0x7c/0xb0 warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0 rpi_firmware_set_power from _genpd_power_off+0xe4/0x148 _genpd_power_off from genpd_sync_power_off+0x7c/0x11c genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0 genpd_finish_suspend from dpm_run_callback+0x78/0xd0 dpm_run_callback from device_suspend_noirq+0xc0/0x238 device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168 dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac suspend_devices_and_enter from pm_suspend+0x254/0x2e4 pm_suspend from state_store+0xa8/0xd4 state_store from kernfs_fop_write_iter+0x154/0x1a0 kernfs_fop_write_iter from vfs_write+0x12c/0x184 vfs_write from ksys_write+0x78/0xc0 ksys_write from ret_fast_syscall+0x0/0x54 Exception stack(0xcc93dfa8 to 0xcc93dff0) [...] PM: noirq suspend of devices complete after 3095.584 msecs

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49963.html
CVE-2024-49963
https://bugzilla.suse.com/1232147
SUSE Bug 1232147

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: remove unreasonable unlock in ocfs2_read_blocks Patch series "Misc fixes for ocfs2_read_blocks", v5. This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix the issue reported by syzbot, which detects bad unlock balance in ocfs2_read_blocks(). The second patch fixes an issue reported by Heming Zhao when reviewing above fix. This patch (of 2): There was a lock release before exiting, so remove the unreasonable unlock.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49965.html
CVE-2024-49965
https://bugzilla.suse.com/1232142
SUSE Bug 1232142

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: cancel dqi_sync_work before freeing oinfo ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the end, if error occurs after successfully reading global quota, it will trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled: ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c This reports that there is an active delayed work when freeing oinfo in error handling, so cancel dqi_sync_work first. BTW, return status instead of -1 when .read_file_info fails.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49966.html
CVE-2024-49966
https://bugzilla.suse.com/1232141
SUSE Bug 1232141

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49967.html
CVE-2024-49967
https://bugzilla.suse.com/1232140
SUSE Bug 1232140

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: filesystems without casefold feature cannot be mounted with siphash When mounting the ext4 filesystem, if the default hash version is set to DX_HASH_SIPHASH but the casefold feature is not set, exit the mounting.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49968.html
CVE-2024-49968
https://bugzilla.suse.com/1232264
SUSE Bug 1232264

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix index out of bounds in DCN30 color transformation This commit addresses a potential index out of bounds issue in the `cm3_helper_translate_curve_to_hw_format` function in the DCN30 color management module. The issue could occur when the index 'i' exceeds the number of transfer function points (TRANSFER_FUNC_POINTS). The fix adds a check to ensure 'i' is within bounds before accessing the transfer function points. If 'i' is out of bounds, the function returns false to indicate an error. drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49969.html
CVE-2024-49969
https://bugzilla.suse.com/1232519
SUSE Bug 1232519
https://bugzilla.suse.com/1232524
SUSE Bug 1232524

Описание

In the Linux kernel, the following vulnerability has been resolved: r8169: add tally counter fields added with RTL8125 RTL8125 added fields to the tally counter, what may result in the chip dma'ing these new fields to unallocated memory. Therefore make sure that the allocated memory area is big enough to hold all of the tally counter values, even if we use only parts of it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49973.html
CVE-2024-49973
https://bugzilla.suse.com/1232105
SUSE Bug 1232105

Описание

In the Linux kernel, the following vulnerability has been resolved: NFSD: Limit the number of concurrent async COPY operations Nothing appears to limit the number of concurrent async COPY operations that clients can start. In addition, AFAICT each async COPY can copy an unlimited number of 4MB chunks, so can run for a long time. Thus IMO async COPY can become a DoS vector. Add a restriction mechanism that bounds the number of concurrent background COPY operations. Start simple and try to be fair -- this patch implements a per-namespace limit. An async COPY request that occurs while this limit is exceeded gets NFS4ERR_DELAY. The requesting client can choose to send the request again after a delay or fall back to a traditional read/write style copy. If there is need to make the mechanism more sophisticated, we can visit that in future patches.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49974.html
CVE-2024-49974
https://bugzilla.suse.com/1232383
SUSE Bug 1232383
https://bugzilla.suse.com/1232384
SUSE Bug 1232384

Описание

In the Linux kernel, the following vulnerability has been resolved: uprobes: fix kernel info leak via "[uprobes]" vma xol_add_vma() maps the uninitialized page allocated by __create_xol_area() into userspace. On some architectures (x86) this memory is readable even without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ, although this doesn't really matter, debugger can read this memory anyway.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49975.html
CVE-2024-49975
https://bugzilla.suse.com/1232104
SUSE Bug 1232104

Описание

In the Linux kernel, the following vulnerability has been resolved: media: venus: fix use after free bug in venus_remove due to race condition in venus_probe, core->work is bound with venus_sys_error_handler, which is used to handle error. The code use core->sys_err_done to make sync work. The core->work is started in venus_event_notify. If we call venus_remove, there might be an unfished work. The possible sequence is as follows: CPU0 CPU1 |venus_sys_error_handler venus_remove | hfi_destroy | venus_hfi_destroy | kfree(hdev); | |hfi_reinit |venus_hfi_queues_reinit |//use hdev Fix it by canceling the work in venus_remove.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49981.html
CVE-2024-49981
https://bugzilla.suse.com/1232098
SUSE Bug 1232098

Описание

In the Linux kernel, the following vulnerability has been resolved: aoe: fix the potential use-after-free problem in more places For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs into use-after-free. Then Nicolai Stange found more places in aoe have potential use-after-free problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push packet to tx queue. So they should also use dev_hold() to increase the refcnt of skb->dev. On the other hand, moving dev_put() to tx() causes that the refcnt of skb->dev be reduced to a negative value, because corresponding dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49982.html
CVE-2024-49982
https://bugzilla.suse.com/1232097
SUSE Bug 1232097

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free When calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(), the 'ppath' is updated but it is the 'path' that is freed, thus potentially triggering a double-free in the following process: ext4_ext_replay_update_ex ppath = path ext4_force_split_extent_at(&ppath) ext4_split_extent_at ext4_ext_insert_extent ext4_ext_create_new_leaf ext4_ext_grow_indepth ext4_find_extent if (depth > path[0].p_maxdepth) kfree(path) ---> path First freed *orig_path = path = NULL ---> null ppath kfree(path) ---> path double-free !!! So drop the unnecessary ppath and use path directly to avoid this problem. And use ext4_find_extent() directly to update path, avoiding unnecessary memory allocation and freeing. Also, propagate the error returned by ext4_find_extent() instead of using strange error codes.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49983.html
CVE-2024-49983
https://bugzilla.suse.com/1232096
SUSE Bug 1232096

Описание

In the Linux kernel, the following vulnerability has been resolved: i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume In case there is any sort of clock controller attached to this I2C bus controller, for example Versaclock or even an AIC32x4 I2C codec, then an I2C transfer triggered from the clock controller clk_ops .prepare callback may trigger a deadlock on drivers/clk/clk.c prepare_lock mutex. This is because the clock controller first grabs the prepare_lock mutex and then performs the prepare operation, including its I2C access. The I2C access resumes this I2C bus controller via .runtime_resume callback, which calls clk_prepare_enable(), which attempts to grab the prepare_lock mutex again and deadlocks. Since the clock are already prepared since probe() and unprepared in remove(), use simple clk_enable()/clk_disable() calls to enable and disable the clock on runtime suspend and resume, to avoid hitting the prepare_lock mutex.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49985.html
CVE-2024-49985
https://bugzilla.suse.com/1232094
SUSE Bug 1232094

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix double free issue during amdgpu module unload Flexible endpoints use DIGs from available inflexible endpoints, so only the encoders of inflexible links need to be freed. Otherwise, a double free issue may occur when unloading the amdgpu module. [ 279.190523] RIP: 0010:__slab_free+0x152/0x2f0 [ 279.190577] Call Trace: [ 279.190580] <TASK> [ 279.190582] ? show_regs+0x69/0x80 [ 279.190590] ? die+0x3b/0x90 [ 279.190595] ? do_trap+0xc8/0xe0 [ 279.190601] ? do_error_trap+0x73/0xa0 [ 279.190605] ? __slab_free+0x152/0x2f0 [ 279.190609] ? exc_invalid_op+0x56/0x70 [ 279.190616] ? __slab_free+0x152/0x2f0 [ 279.190642] ? asm_exc_invalid_op+0x1f/0x30 [ 279.190648] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191096] ? __slab_free+0x152/0x2f0 [ 279.191102] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191469] kfree+0x260/0x2b0 [ 279.191474] dcn10_link_encoder_destroy+0x19/0x30 [amdgpu] [ 279.191821] link_destroy+0xd7/0x130 [amdgpu] [ 279.192248] dc_destruct+0x90/0x270 [amdgpu] [ 279.192666] dc_destroy+0x19/0x40 [amdgpu] [ 279.193020] amdgpu_dm_fini+0x16e/0x200 [amdgpu] [ 279.193432] dm_hw_fini+0x26/0x40 [amdgpu] [ 279.193795] amdgpu_device_fini_hw+0x24c/0x400 [amdgpu] [ 279.194108] amdgpu_driver_unload_kms+0x4f/0x70 [amdgpu] [ 279.194436] amdgpu_pci_remove+0x40/0x80 [amdgpu] [ 279.194632] pci_device_remove+0x3a/0xa0 [ 279.194638] device_remove+0x40/0x70 [ 279.194642] device_release_driver_internal+0x1ad/0x210 [ 279.194647] driver_detach+0x4e/0xa0 [ 279.194650] bus_remove_driver+0x6f/0xf0 [ 279.194653] driver_unregister+0x33/0x60 [ 279.194657] pci_unregister_driver+0x44/0x90 [ 279.194662] amdgpu_exit+0x19/0x1f0 [amdgpu] [ 279.194939] __do_sys_delete_module.isra.0+0x198/0x2f0 [ 279.194946] __x64_sys_delete_module+0x16/0x20 [ 279.194950] do_syscall_64+0x58/0x120 [ 279.194954] entry_SYSCALL_64_after_hwframe+0x6e/0x76 [ 279.194980] </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49989.html
CVE-2024-49989
https://bugzilla.suse.com/1232483
SUSE Bug 1232483

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Pass pointer reference to amdgpu_bo_unref to clear the correct pointer, otherwise amdgpu_bo_unref clear the local variable, the original pointer not set to NULL, this could cause use-after-free bug.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49991.html
CVE-2024-49991
https://bugzilla.suse.com/1232282
SUSE Bug 1232282
https://bugzilla.suse.com/1232284
SUSE Bug 1232284

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49993.html
CVE-2024-49993
https://bugzilla.suse.com/1232316
SUSE Bug 1232316

Описание

In the Linux kernel, the following vulnerability has been resolved: tipc: guard against string buffer overrun Smatch reports that copying media_name and if_name to name_parts may overwrite the destination. .../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16) .../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16) This does seem to be the case so guard against this possibility by using strscpy() and failing if truncation occurs. Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge") Compile tested only.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49995.html
CVE-2024-49995
https://bugzilla.suse.com/1232432
SUSE Bug 1232432
https://bugzilla.suse.com/1232433
SUSE Bug 1232433

Описание

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix buffer overflow when parsing NFS reparse points ReparseDataLength is sum of the InodeType size and DataBuffer size. So to get DataBuffer size it is needed to subtract InodeType's size from ReparseDataLength. Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer at position after the end of the buffer because it does not subtract InodeType size from the length. Fix this problem and correctly subtract variable len. Member InodeType is present only when reparse buffer is large enough. Check for ReparseDataLength before accessing InodeType to prevent another invalid memory access. Major and minor rdev values are present also only when reparse buffer is large enough. Check for reparse buffer size before calling reparse_mkdev().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-49996.html
CVE-2024-49996
https://bugzilla.suse.com/1232089
SUSE Bug 1232089

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() In mlx5e_tir_builder_alloc() kvzalloc() may return NULL which is dereferenced on the next line in a reference to the modify field. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50000.html
CVE-2024-50000
https://bugzilla.suse.com/1232085
SUSE Bug 1232085

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix error path in multi-packet WQE transmit Remove the erroneous unmap in case no DMA mapping was established The multi-packet WQE transmit code attempts to obtain a DMA mapping for the skb. This could fail, e.g. under memory pressure, when the IOMMU driver just can't allocate more memory for page tables. While the code tries to handle this in the path below the err_unmap label it erroneously unmaps one entry from the sq's FIFO list of active mappings. Since the current map attempt failed this unmap is removing some random DMA mapping that might still be required. If the PCI function now presents that IOVA, the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI function in error state. The erroneous behavior was seen in a stress-test environment that created memory pressure.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50001.html
CVE-2024-50001
https://bugzilla.suse.com/1232084
SUSE Bug 1232084

Описание

In the Linux kernel, the following vulnerability has been resolved: static_call: Handle module init failure correctly in static_call_del_module() Module insertion invokes static_call_add_module() to initialize the static calls in a module. static_call_add_module() invokes __static_call_init(), which allocates a struct static_call_mod to either encapsulate the built-in static call sites of the associated key into it so further modules can be added or to append the module to the module chain. If that allocation fails the function returns with an error code and the module core invokes static_call_del_module() to clean up eventually added static_call_mod entries. This works correctly, when all keys used by the module were converted over to a module chain before the failure. If not then static_call_del_module() causes a #GP as it blindly assumes that key::mods points to a valid struct static_call_mod. The problem is that key::mods is not a individual struct member of struct static_call_key, it's part of a union to save space: union { /* bit 0: 0 = mods, 1 = sites */ unsigned long type; struct static_call_mod *mods; struct static_call_site *sites; }; key::sites is a pointer to the list of built-in usage sites of the static call. The type of the pointer is differentiated by bit 0. A mods pointer has the bit clear, the sites pointer has the bit set. As static_call_del_module() blidly assumes that the pointer is a valid static_call_mod type, it fails to check for this failure case and dereferences the pointer to the list of built-in call sites, which is obviously bogus. Cure it by checking whether the key has a sites or a mods pointer. If it's a sites pointer then the key is not to be touched. As the sites are walked in the same order as in __static_call_init() the site walk can be terminated because all subsequent sites have not been touched by the init code due to the error exit. If it was converted before the allocation fail, then the inner loop which searches for a module match will find nothing. A fail in the second allocation in __static_call_init() is harmless and does not require special treatment. The first allocation succeeded and converted the key to a module chain. That first entry has mod::mod == NULL and mod::next == NULL, so the inner loop of static_call_del_module() will neither find a module match nor a module chain. The next site in the walk was either already converted, but can't match the module, or it will exit the outer loop because it has a static_call_site pointer and not a static_call_mod pointer.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50002.html
CVE-2024-50002
https://bugzilla.suse.com/1232083
SUSE Bug 1232083

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix system hang while resume with TBT monitor [Why] Connected with a Thunderbolt monitor and do the suspend and the system may hang while resume. The TBT monitor HPD will be triggered during the resume procedure and call the drm_client_modeset_probe() while struct drm_connector connector->dev->master is NULL. It will mess up the pipe topology after resume. [How] Skip the TBT monitor HPD during the resume procedure because we currently will probe the connectors after resume by default. (cherry picked from commit 453f86a26945207a16b8f66aaed5962dc2b95b85)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50003.html
CVE-2024-50003
https://bugzilla.suse.com/1232385
SUSE Bug 1232385

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix i_data_sem unlock order in ext4_ind_migrate() Fuzzing reports a possible deadlock in jbd2_log_wait_commit. This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require synchronous updates because the file descriptor is opened with O_SYNC. This can lead to the jbd2_journal_stop() function calling jbd2_might_wait_for_commit(), potentially causing a deadlock if the EXT4_IOC_MIGRATE call races with a write(2) system call. This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the jbd2_journal_stop function while i_data_sem is locked. This triggers lockdep because the jbd2_journal_start function might also lock the same jbd2_handle simultaneously. Found by Linux Verification Center (linuxtesting.org) with syzkaller. Rule: add

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50006.html
CVE-2024-50006
https://bugzilla.suse.com/1232442
SUSE Bug 1232442

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: asihpi: Fix potential OOB array access ASIHPI driver stores some values in the static array upon a response from the driver, and its index depends on the firmware. We shouldn't trust it blindly. This patch adds a sanity check of the array index to fit in the array size.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50007.html
CVE-2024-50007
https://bugzilla.suse.com/1232394
SUSE Bug 1232394

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Replace one-element array with a flexible-array member in `struct host_cmd_ds_802_11_scan_ext`. With this, fix the following warning: elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------ elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1) elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50008.html
CVE-2024-50008
https://bugzilla.suse.com/1232317
SUSE Bug 1232317

Описание

In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check it and return in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50009.html
CVE-2024-50009
https://bugzilla.suse.com/1232318
SUSE Bug 1232318

Описание

In the Linux kernel, the following vulnerability has been resolved: exfat: fix memory leak in exfat_load_bitmap() If the first directory entry in the root directory is not a bitmap directory entry, 'bh' will not be released and reassigned, which will cause a memory leak.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50013.html
CVE-2024-50013
https://bugzilla.suse.com/1232080
SUSE Bug 1232080

Описание

In the Linux kernel, the following vulnerability has been resolved: ext4: fix access to uninitialised lock in fc replay path The following kernel trace can be triggered with fstest generic/629 when executed against a filesystem with fast-commit feature enabled: INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 0 PID: 866 Comm: mount Not tainted 6.10.0+ #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x66/0x90 register_lock_class+0x759/0x7d0 __lock_acquire+0x85/0x2630 ? __find_get_block+0xb4/0x380 lock_acquire+0xd1/0x2d0 ? __ext4_journal_get_write_access+0xd5/0x160 _raw_spin_lock+0x33/0x40 ? __ext4_journal_get_write_access+0xd5/0x160 __ext4_journal_get_write_access+0xd5/0x160 ext4_reserve_inode_write+0x61/0xb0 __ext4_mark_inode_dirty+0x79/0x270 ? ext4_ext_replay_set_iblocks+0x2f8/0x450 ext4_ext_replay_set_iblocks+0x330/0x450 ext4_fc_replay+0x14c8/0x1540 ? jread+0x88/0x2e0 ? rcu_is_watching+0x11/0x40 do_one_pass+0x447/0xd00 jbd2_journal_recover+0x139/0x1b0 jbd2_journal_load+0x96/0x390 ext4_load_and_init_journal+0x253/0xd40 ext4_fill_super+0x2cc6/0x3180 ... In the replay path there's an attempt to lock sbi->s_bdev_wb_lock in function ext4_check_bdev_write_error(). Unfortunately, at this point this spinlock has not been initialized yet. Moving it's initialization to an earlier point in __ext4_fill_super() fixes this splat.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50014.html
CVE-2024-50014
https://bugzilla.suse.com/1232446
SUSE Bug 1232446

Описание

In the Linux kernel, the following vulnerability has been resolved: x86/mm/ident_map: Use gbpages only where full GB page should be mapped. When ident_pud_init() uses only GB pages to create identity maps, large ranges of addresses not actually requested can be included in the resulting table; a 4K request will map a full GB. This can include a lot of extra address space past that requested, including areas marked reserved by the BIOS. That allows processor speculation into reserved regions, that on UV systems can cause system halts. Only use GB pages when map creation requests include the full GB page of space. Fall back to using smaller 2M pages when only portions of a GB page are included in the request. No attempt is made to coalesce mapping requests. If a request requires a map entry at the 2M (pmd) level, subsequent mapping requests within the same 1G region will also be at the pmd level, even if adjacent or overlapping such requests could have been combined to map a full GB page. Existing usage starts with larger regions and then adds smaller regions, so this should not have any great consequence.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50017.html
CVE-2024-50017
https://bugzilla.suse.com/1232312
SUSE Bug 1232312

Описание

In the Linux kernel, the following vulnerability has been resolved: kthread: unpark only parked kthread Calling into kthread unparking unconditionally is mostly harmless when the kthread is already unparked. The wake up is then simply ignored because the target is not in TASK_PARKED state. However if the kthread is per CPU, the wake up is preceded by a call to kthread_bind() which expects the task to be inactive and in TASK_PARKED state, which obviously isn't the case if it is unparked. As a result, calling kthread_stop() on an unparked per-cpu kthread triggers such a warning: WARNING: CPU: 0 PID: 11 at kernel/kthread.c:525 __kthread_bind_mask kernel/kthread.c:525 <TASK> kthread_stop+0x17a/0x630 kernel/kthread.c:707 destroy_workqueue+0x136/0xc40 kernel/workqueue.c:5810 wg_destruct+0x1e2/0x2e0 drivers/net/wireguard/device.c:257 netdev_run_todo+0xe1a/0x1000 net/core/dev.c:10693 default_device_exit_batch+0xa14/0xa90 net/core/dev.c:11769 ops_exit_list net/core/net_namespace.c:178 [inline] cleanup_net+0x89d/0xcc0 net/core/net_namespace.c:640 process_one_work kernel/workqueue.c:3231 [inline] process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312 worker_thread+0x86d/0xd70 kernel/workqueue.c:3393 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Fix this with skipping unecessary unparking while stopping a kthread.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50019.html
CVE-2024-50019
https://bugzilla.suse.com/1231990
SUSE Bug 1231990

Описание

In the Linux kernel, the following vulnerability has been resolved: net: Fix an unsafe loop on the list The kernel may crash when deleting a genetlink family if there are still listeners for that family: Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c000000000c080bc] netlink_update_socket_mc+0x3c/0xc0 LR [c000000000c0f764] __netlink_clear_multicast_users+0x74/0xc0 Call Trace: __netlink_clear_multicast_users+0x74/0xc0 genl_unregister_family+0xd4/0x2d0 Change the unsafe loop on the list to a safe one, because inside the loop there is an element removal from this list.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50024.html
CVE-2024-50024
https://bugzilla.suse.com/1231954
SUSE Bug 1231954

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: fnic: Move flush_work initialization out of if block After commit 379a58caa199 ("scsi: fnic: Move fnic_fnic_flush_tx() to a work queue"), it can happen that a work item is sent to an uninitialized work queue. This may has the effect that the item being queued is never actually queued, and any further actions depending on it will not proceed. The following warning is observed while the fnic driver is loaded: kernel: WARNING: CPU: 11 PID: 0 at ../kernel/workqueue.c:1524 __queue_work+0x373/0x410 kernel: <IRQ> kernel: queue_work_on+0x3a/0x50 kernel: fnic_wq_copy_cmpl_handler+0x54a/0x730 [fnic 62fbff0c42e7fb825c60a55cde2fb91facb2ed24] kernel: fnic_isr_msix_wq_copy+0x2d/0x60 [fnic 62fbff0c42e7fb825c60a55cde2fb91facb2ed24] kernel: __handle_irq_event_percpu+0x36/0x1a0 kernel: handle_irq_event_percpu+0x30/0x70 kernel: handle_irq_event+0x34/0x60 kernel: handle_edge_irq+0x7e/0x1a0 kernel: __common_interrupt+0x3b/0xb0 kernel: common_interrupt+0x58/0xa0 kernel: </IRQ> It has been observed that this may break the rediscovery of Fibre Channel devices after a temporary fabric failure. This patch fixes it by moving the work queue initialization out of an if block in fnic_probe().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50025.html
CVE-2024-50025
https://bugzilla.suse.com/1231953
SUSE Bug 1231953

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: wd33c93: Don't use stale scsi_pointer value A regression was introduced with commit dbb2da557a6a ("scsi: wd33c93: Move the SCSI pointer to private command data") which results in an oops in wd33c93_intr(). That commit added the scsi_pointer variable and initialized it from hostdata->connected. However, during selection, hostdata->connected is not yet valid. Fix this by getting the current scsi_pointer from hostdata->selecting.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50026.html
CVE-2024-50026
https://bugzilla.suse.com/1231952
SUSE Bug 1231952

Описание

In the Linux kernel, the following vulnerability has been resolved: thermal: core: Reference count the zone in thermal_zone_get_by_id() There are places in the thermal netlink code where nothing prevents the thermal zone object from going away while being accessed after it has been returned by thermal_zone_get_by_id(). To address this, make thermal_zone_get_by_id() get a reference on the thermal zone device object to be returned with the help of get_device(), under thermal_list_lock, and adjust all of its callers to this change with the help of the cleanup.h infrastructure.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50028.html
CVE-2024-50028
https://bugzilla.suse.com/1231950
SUSE Bug 1231950

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Stop the active perfmon before being destroyed When running `kmscube` with one or more performance monitors enabled via `GALLIUM_HUD`, the following kernel panic can occur: [ 55.008324] Unable to handle kernel paging request at virtual address 00000000052004a4 [ 55.008368] Mem abort info: [ 55.008377] ESR = 0x0000000096000005 [ 55.008387] EC = 0x25: DABT (current EL), IL = 32 bits [ 55.008402] SET = 0, FnV = 0 [ 55.008412] EA = 0, S1PTW = 0 [ 55.008421] FSC = 0x05: level 1 translation fault [ 55.008434] Data abort info: [ 55.008442] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 55.008455] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 55.008467] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 55.008481] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001046c6000 [ 55.008497] [00000000052004a4] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 55.008525] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 55.008542] Modules linked in: rfcomm [...] vc4 v3d snd_soc_hdmi_codec drm_display_helper gpu_sched drm_shmem_helper cec drm_dma_helper drm_kms_helper i2c_brcmstb drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 55.008799] CPU: 2 PID: 166 Comm: v3d_bin Tainted: G C 6.6.47+rpt-rpi-v8 #1 Debian 1:6.6.47-1+rpt1 [ 55.008824] Hardware name: Raspberry Pi 4 Model B Rev 1.5 (DT) [ 55.008838] pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 55.008855] pc : __mutex_lock.constprop.0+0x90/0x608 [ 55.008879] lr : __mutex_lock.constprop.0+0x58/0x608 [ 55.008895] sp : ffffffc080673cf0 [ 55.008904] x29: ffffffc080673cf0 x28: 0000000000000000 x27: ffffff8106188a28 [ 55.008926] x26: ffffff8101e78040 x25: ffffff8101baa6c0 x24: ffffffd9d989f148 [ 55.008947] x23: ffffffda1c2a4008 x22: 0000000000000002 x21: ffffffc080673d38 [ 55.008968] x20: ffffff8101238000 x19: ffffff8104f83188 x18: 0000000000000000 [ 55.008988] x17: 0000000000000000 x16: ffffffda1bd04d18 x15: 00000055bb08bc90 [ 55.009715] x14: 0000000000000000 x13: 0000000000000000 x12: ffffffda1bd4cbb0 [ 55.010433] x11: 00000000fa83b2da x10: 0000000000001a40 x9 : ffffffda1bd04d04 [ 55.011162] x8 : ffffff8102097b80 x7 : 0000000000000000 x6 : 00000000030a5857 [ 55.011880] x5 : 00ffffffffffffff x4 : 0300000005200470 x3 : 0300000005200470 [ 55.012598] x2 : ffffff8101238000 x1 : 0000000000000021 x0 : 0300000005200470 [ 55.013292] Call trace: [ 55.013959] __mutex_lock.constprop.0+0x90/0x608 [ 55.014646] __mutex_lock_slowpath+0x1c/0x30 [ 55.015317] mutex_lock+0x50/0x68 [ 55.015961] v3d_perfmon_stop+0x40/0xe0 [v3d] [ 55.016627] v3d_bin_job_run+0x10c/0x2d8 [v3d] [ 55.017282] drm_sched_main+0x178/0x3f8 [gpu_sched] [ 55.017921] kthread+0x11c/0x128 [ 55.018554] ret_from_fork+0x10/0x20 [ 55.019168] Code: f9400260 f1001c1f 54001ea9 927df000 (b9403401) [ 55.019776] ---[ end trace 0000000000000000 ]--- [ 55.020411] note: v3d_bin[166] exited with preempt_count 1 This issue arises because, upon closing the file descriptor (which happens when we interrupt `kmscube`), the active performance monitor is not stopped. Although all perfmons are destroyed in `v3d_perfmon_close_file()`, the active performance monitor's pointer (`v3d->active_perfmon`) is still retained. If `kmscube` is run again, the driver will attempt to stop the active performance monitor using the stale pointer in `v3d->active_perfmon`. However, this pointer is no longer valid because the previous process has already terminated, and all performance monitors associated with it have been destroyed and freed. To fix this, when the active performance monitor belongs to a given process, explicitly stop it before destroying and freeing it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50031.html
CVE-2024-50031
https://bugzilla.suse.com/1231947
SUSE Bug 1231947

Описание

In the Linux kernel, the following vulnerability has been resolved: slip: make slhc_remember() more robust against malicious packets syzbot found that slhc_remember() was missing checks against malicious packets [1]. slhc_remember() only checked the size of the packet was at least 20, which is not good enough. We need to make sure the packet includes the IPv4 and TCP header that are supposed to be carried. Add iph and th pointers to make the code more readable. [1] BUG: KMSAN: uninit-value in slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 slhc_remember+0x2e8/0x7b0 drivers/net/slip/slhc.c:666 ppp_receive_nonmp_frame+0xe45/0x35e0 drivers/net/ppp/ppp_generic.c:2455 ppp_receive_frame drivers/net/ppp/ppp_generic.c:2372 [inline] ppp_do_recv+0x65f/0x40d0 drivers/net/ppp/ppp_generic.c:2212 ppp_input+0x7dc/0xe60 drivers/net/ppp/ppp_generic.c:2327 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 __release_sock+0x1da/0x330 net/core/sock.c:3072 release_sock+0x6b/0x250 net/core/sock.c:3626 pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4091 [inline] slab_alloc_node mm/slub.c:4134 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4186 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [inline] sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 5460 Comm: syz.2.33 Not tainted 6.12.0-rc2-syzkaller-00006-g87d6aab2389e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50033.html
CVE-2024-50033
https://bugzilla.suse.com/1231914
SUSE Bug 1231914

Описание

In the Linux kernel, the following vulnerability has been resolved: ppp: fix ppp_async_encode() illegal access syzbot reported an issue in ppp_async_encode() [1] In this case, pppoe_sendmsg() is called with a zero size. Then ppp_async_encode() is called with an empty skb. BUG: KMSAN: uninit-value in ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] BUG: KMSAN: uninit-value in ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 ppp_async_encode drivers/net/ppp/ppp_async.c:545 [inline] ppp_async_push+0xb4f/0x2660 drivers/net/ppp/ppp_async.c:675 ppp_async_send+0x130/0x1b0 drivers/net/ppp/ppp_async.c:634 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2280 [inline] ppp_input+0x1f1/0xe60 drivers/net/ppp/ppp_generic.c:2304 pppoe_rcv_core+0x1d3/0x720 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x13b/0x420 include/net/sock.h:1113 __release_sock+0x1da/0x330 net/core/sock.c:3072 release_sock+0x6b/0x250 net/core/sock.c:3626 pppoe_sendmsg+0x2b8/0xb90 drivers/net/ppp/pppoe.c:903 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4092 [inline] slab_alloc_node mm/slub.c:4135 [inline] kmem_cache_alloc_node_noprof+0x6bf/0xb80 mm/slub.c:4187 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:587 __alloc_skb+0x363/0x7b0 net/core/skbuff.c:678 alloc_skb include/linux/skbuff.h:1322 [inline] sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2732 pppoe_sendmsg+0x3a7/0xb90 drivers/net/ppp/pppoe.c:867 sock_sendmsg_nosec net/socket.c:729 [inline] __sock_sendmsg+0x30f/0x380 net/socket.c:744 ____sys_sendmsg+0x903/0xb60 net/socket.c:2602 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2656 __sys_sendmmsg+0x3c1/0x960 net/socket.c:2742 __do_sys_sendmmsg net/socket.c:2771 [inline] __se_sys_sendmmsg net/socket.c:2768 [inline] __x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2768 x64_sys_call+0xb6e/0x3ba0 arch/x86/include/generated/asm/syscalls_64.h:308 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 5411 Comm: syz.1.14 Not tainted 6.12.0-rc1-syzkaller-00165-g360c1f1f24c6 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50035.html
CVE-2024-50035
https://bugzilla.suse.com/1232392
SUSE Bug 1232392

Описание

In the Linux kernel, the following vulnerability has been resolved: i40e: Fix macvlan leak by synchronizing access to mac_filter_hash This patch addresses a macvlan leak issue in the i40e driver caused by concurrent access to vsi->mac_filter_hash. The leak occurs when multiple threads attempt to modify the mac_filter_hash simultaneously, leading to inconsistent state and potential memory leaks. To fix this, we now wrap the calls to i40e_del_mac_filter() and zeroing vf->default_lan_addr.addr with spin_lock/unlock_bh(&vsi->mac_filter_hash_lock), ensuring atomic operations and preventing concurrent access. Additionally, we add lockdep_assert_held(&vsi->mac_filter_hash_lock) in i40e_add_mac_filter() to help catch similar issues in the future. Reproduction steps: 1. Spawn VFs and configure port vlan on them. 2. Trigger concurrent macvlan operations (e.g., adding and deleting portvlan and/or mac filters). 3. Observe the potential memory leak and inconsistent state in the mac_filter_hash. This synchronization ensures the integrity of the mac_filter_hash and prevents the described leak.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50041.html
CVE-2024-50041
https://bugzilla.suse.com/1231907
SUSE Bug 1231907

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change rfcomm_sk_state_change attempts to use sock_lock so it must never be called with it locked but rfcomm_sock_ioctl always attempt to lock it causing the following trace: ====================================================== WARNING: possible circular locking dependency detected 6.8.0-syzkaller-08951-gfe46a7dd189e #0 Not tainted ------------------------------------------------------ syz-executor386/5093 is trying to acquire lock: ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1671 [inline] ffff88807c396258 (sk_lock-AF_BLUETOOTH-BTPROTO_RFCOMM){+.+.}-{0:0}, at: rfcomm_sk_state_change+0x5b/0x310 net/bluetooth/rfcomm/sock.c:73 but task is already holding lock: ffff88807badfd28 (&d->lock){+.+.}-{3:3}, at: __rfcomm_dlc_close+0x226/0x6a0 net/bluetooth/rfcomm/core.c:491

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50044.html
CVE-2024-50044
https://bugzilla.suse.com/1231904
SUSE Bug 1231904

Описание

In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: fix panic with metadata_dst skb Fix a kernel panic in the br_netfilter module when sending untagged traffic via a VxLAN device. This happens during the check for fragmentation in br_nf_dev_queue_xmit. It is dependent on: 1) the br_netfilter module being loaded; 2) net.bridge.bridge-nf-call-iptables set to 1; 3) a bridge with a VxLAN (single-vxlan-device) netdevice as a bridge port; 4) untagged frames with size higher than the VxLAN MTU forwarded/flooded When forwarding the untagged packet to the VxLAN bridge port, before the netfilter hooks are called, br_handle_egress_vlan_tunnel is called and changes the skb_dst to the tunnel dst. The tunnel_dst is a metadata type of dst, i.e., skb_valid_dst(skb) is false, and metadata->dst.dev is NULL. Then in the br_netfilter hooks, in br_nf_dev_queue_xmit, there's a check for frames that needs to be fragmented: frames with higher MTU than the VxLAN device end up calling br_nf_ip_fragment, which in turns call ip_skb_dst_mtu. The ip_dst_mtu tries to use the skb_dst(skb) as if it was a valid dst with valid dst->dev, thus the crash. This case was never supported in the first place, so drop the packet instead. PING 10.0.0.2 (10.0.0.2) from 0.0.0.0 h1-eth0: 2000(2028) bytes of data. [ 176.291791] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000110 [ 176.292101] Mem abort info: [ 176.292184] ESR = 0x0000000096000004 [ 176.292322] EC = 0x25: DABT (current EL), IL = 32 bits [ 176.292530] SET = 0, FnV = 0 [ 176.292709] EA = 0, S1PTW = 0 [ 176.292862] FSC = 0x04: level 0 translation fault [ 176.293013] Data abort info: [ 176.293104] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 176.293488] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 176.293787] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 176.293995] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000043ef5000 [ 176.294166] [0000000000000110] pgd=0000000000000000, p4d=0000000000000000 [ 176.294827] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 176.295252] Modules linked in: vxlan ip6_udp_tunnel udp_tunnel veth br_netfilter bridge stp llc ipv6 crct10dif_ce [ 176.295923] CPU: 0 PID: 188 Comm: ping Not tainted 6.8.0-rc3-g5b3fbd61b9d1 #2 [ 176.296314] Hardware name: linux,dummy-virt (DT) [ 176.296535] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 176.296808] pc : br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] [ 176.297382] lr : br_nf_dev_queue_xmit+0x2ac/0x4ec [br_netfilter] [ 176.297636] sp : ffff800080003630 [ 176.297743] x29: ffff800080003630 x28: 0000000000000008 x27: ffff6828c49ad9f8 [ 176.298093] x26: ffff6828c49ad000 x25: 0000000000000000 x24: 00000000000003e8 [ 176.298430] x23: 0000000000000000 x22: ffff6828c4960b40 x21: ffff6828c3b16d28 [ 176.298652] x20: ffff6828c3167048 x19: ffff6828c3b16d00 x18: 0000000000000014 [ 176.298926] x17: ffffb0476322f000 x16: ffffb7e164023730 x15: 0000000095744632 [ 176.299296] x14: ffff6828c3f1c880 x13: 0000000000000002 x12: ffffb7e137926a70 [ 176.299574] x11: 0000000000000001 x10: ffff6828c3f1c898 x9 : 0000000000000000 [ 176.300049] x8 : ffff6828c49bf070 x7 : 0008460f18d5f20e x6 : f20e0100bebafeca [ 176.300302] x5 : ffff6828c7f918fe x4 : ffff6828c49bf070 x3 : 0000000000000000 [ 176.300586] x2 : 0000000000000000 x1 : ffff6828c3c7ad00 x0 : ffff6828c7f918f0 [ 176.300889] Call trace: [ 176.301123] br_nf_dev_queue_xmit+0x390/0x4ec [br_netfilter] [ 176.301411] br_nf_post_routing+0x2a8/0x3e4 [br_netfilter] [ 176.301703] nf_hook_slow+0x48/0x124 [ 176.302060] br_forward_finish+0xc8/0xe8 [bridge] [ 176.302371] br_nf_hook_thresh+0x124/0x134 [br_netfilter] [ 176.302605] br_nf_forward_finish+0x118/0x22c [br_netfilter] [ 176.302824] br_nf_forward_ip.part.0+0x264/0x290 [br_netfilter] [ 176.303136] br_nf_forward+0x2b8/0x4e0 [br_netfilter] [ 176.303359] nf_hook_slow+0x48/0x124 [ 176.303 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50045.html
CVE-2024-50045
https://bugzilla.suse.com/1231903
SUSE Bug 1231903

Описание

In the Linux kernel, the following vulnerability has been resolved: NFSv4: Prevent NULL-pointer dereference in nfs42_complete_copies() On the node of an NFS client, some files saved in the mountpoint of the NFS server were copied to another location of the same NFS server. Accidentally, the nfs42_complete_copies() got a NULL-pointer dereference crash with the following syslog: [232064.838881] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116 [232064.839360] NFSv4: state recovery failed for open file nfs/pvc-12b5200d-cd0f-46a3-b9f0-af8f4fe0ef64.qcow2, error = -116 [232066.588183] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 [232066.588586] Mem abort info: [232066.588701] ESR = 0x0000000096000007 [232066.588862] EC = 0x25: DABT (current EL), IL = 32 bits [232066.589084] SET = 0, FnV = 0 [232066.589216] EA = 0, S1PTW = 0 [232066.589340] FSC = 0x07: level 3 translation fault [232066.589559] Data abort info: [232066.589683] ISV = 0, ISS = 0x00000007 [232066.589842] CM = 0, WnR = 0 [232066.589967] user pgtable: 64k pages, 48-bit VAs, pgdp=00002000956ff400 [232066.590231] [0000000000000058] pgd=08001100ae100003, p4d=08001100ae100003, pud=08001100ae100003, pmd=08001100b3c00003, pte=0000000000000000 [232066.590757] Internal error: Oops: 96000007 [#1] SMP [232066.590958] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm vhost_net vhost vhost_iotlb tap tun ipt_rpfilter xt_multiport ip_set_hash_ip ip_set_hash_net xfrm_interface xfrm6_tunnel tunnel4 tunnel6 esp4 ah4 wireguard libcurve25519_generic veth xt_addrtype xt_set nf_conntrack_netlink ip_set_hash_ipportnet ip_set_hash_ipportip ip_set_bitmap_port ip_set_hash_ipport dummy ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs iptable_filter sch_ingress nfnetlink_cttimeout vport_gre ip_gre ip_tunnel gre vport_geneve geneve vport_vxlan vxlan ip6_udp_tunnel udp_tunnel openvswitch nf_conncount dm_round_robin dm_service_time dm_multipath xt_nat xt_MASQUERADE nft_chain_nat nf_nat xt_mark xt_conntrack xt_comment nft_compat nft_counter nf_tables nfnetlink ocfs2 ocfs2_nodemanager ocfs2_stackglue iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ipmi_ssif nbd overlay 8021q garp mrp bonding tls rfkill sunrpc ext4 mbcache jbd2 [232066.591052] vfat fat cas_cache cas_disk ses enclosure scsi_transport_sas sg acpi_ipmi ipmi_si ipmi_devintf ipmi_msghandler ip_tables vfio_pci vfio_pci_core vfio_virqfd vfio_iommu_type1 vfio dm_mirror dm_region_hash dm_log dm_mod nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc fuse xfs libcrc32c ast drm_vram_helper qla2xxx drm_kms_helper syscopyarea crct10dif_ce sysfillrect ghash_ce sysimgblt sha2_ce fb_sys_fops cec sha256_arm64 sha1_ce drm_ttm_helper ttm nvme_fc igb sbsa_gwdt nvme_fabrics drm nvme_core i2c_algo_bit i40e scsi_transport_fc megaraid_sas aes_neon_bs [232066.596953] CPU: 6 PID: 4124696 Comm: 10.253.166.125- Kdump: loaded Not tainted 5.15.131-9.cl9_ocfs2.aarch64 #1 [232066.597356] Hardware name: Great Wall .\x93\x8e...RF6260 V5/GWMSSE2GL1T, BIOS T656FBE_V3.0.18 2024-01-06 [232066.597721] pstate: 20400009 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [232066.598034] pc : nfs4_reclaim_open_state+0x220/0x800 [nfsv4] [232066.598327] lr : nfs4_reclaim_open_state+0x12c/0x800 [nfsv4] [232066.598595] sp : ffff8000f568fc70 [232066.598731] x29: ffff8000f568fc70 x28: 0000000000001000 x27: ffff21003db33000 [232066.599030] x26: ffff800005521ae0 x25: ffff0100f98fa3f0 x24: 0000000000000001 [232066.599319] x23: ffff800009920008 x22: ffff21003db33040 x21: ffff21003db33050 [232066.599628] x20: ffff410172fe9e40 x19: ffff410172fe9e00 x18: 0000000000000000 [232066.599914] x17: 0000000000000000 x16: 0000000000000004 x15: 0000000000000000 [232066.600195] x14: 0000000000000000 x13: ffff800008e685a8 x12: 00000000eac0c6e6 [232066.600498] x11: 00000000000000 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50046.html
CVE-2024-50046
https://bugzilla.suse.com/1231902
SUSE Bug 1231902

Описание

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with a slab-use-after-free way down in the crypto API. Reproducer: # mount.cifs -o ...,seal,esize=1 //srv/share /mnt # dd if=/mnt/largefile of=/dev/null ... [ 194.196391] ================================================================== [ 194.196844] BUG: KASAN: slab-use-after-free in gf128mul_4k_lle+0xc1/0x110 [ 194.197269] Read of size 8 at addr ffff888112bd0448 by task kworker/u77:2/899 [ 194.197707] [ 194.197818] CPU: 12 UID: 0 PID: 899 Comm: kworker/u77:2 Not tainted 6.11.0-lku-00028-gfca3ca14a17a-dirty #43 [ 194.198400] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.2-3-gd478f380-prebuilt.qemu.org 04/01/2014 [ 194.199046] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 194.200032] Call Trace: [ 194.200191] <TASK> [ 194.200327] dump_stack_lvl+0x4e/0x70 [ 194.200558] ? gf128mul_4k_lle+0xc1/0x110 [ 194.200809] print_report+0x174/0x505 [ 194.201040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 194.201352] ? srso_return_thunk+0x5/0x5f [ 194.201604] ? __virt_addr_valid+0xdf/0x1c0 [ 194.201868] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202128] kasan_report+0xc8/0x150 [ 194.202361] ? gf128mul_4k_lle+0xc1/0x110 [ 194.202616] gf128mul_4k_lle+0xc1/0x110 [ 194.202863] ghash_update+0x184/0x210 [ 194.203103] shash_ahash_update+0x184/0x2a0 [ 194.203377] ? __pfx_shash_ahash_update+0x10/0x10 [ 194.203651] ? srso_return_thunk+0x5/0x5f [ 194.203877] ? crypto_gcm_init_common+0x1ba/0x340 [ 194.204142] gcm_hash_assoc_remain_continue+0x10a/0x140 [ 194.204434] crypt_message+0xec1/0x10a0 [cifs] [ 194.206489] ? __pfx_crypt_message+0x10/0x10 [cifs] [ 194.208507] ? srso_return_thunk+0x5/0x5f [ 194.209205] ? srso_return_thunk+0x5/0x5f [ 194.209925] ? srso_return_thunk+0x5/0x5f [ 194.210443] ? srso_return_thunk+0x5/0x5f [ 194.211037] decrypt_raw_data+0x15f/0x250 [cifs] [ 194.212906] ? __pfx_decrypt_raw_data+0x10/0x10 [cifs] [ 194.214670] ? srso_return_thunk+0x5/0x5f [ 194.215193] smb2_decrypt_offload+0x12a/0x6c0 [cifs] This is because TFM is being used in parallel. Fix this by allocating a new AEAD TFM for async decryption, but keep the existing one for synchronous READ cases (similar to what is done in smb3_calc_signature()). Also remove the calls to aead_request_set_callback() and crypto_wait_req() since it's always going to be a synchronous operation.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50047.html
CVE-2024-50047
https://bugzilla.suse.com/1232418
SUSE Bug 1232418
https://bugzilla.suse.com/1232576
SUSE Bug 1232576
https://bugzilla.suse.com/1232638
SUSE Bug 1232638

Описание

In the Linux kernel, the following vulnerability has been resolved: fbcon: Fix a NULL pointer dereference issue in fbcon_putcs syzbot has found a NULL pointer dereference bug in fbcon. Here is the simplified C reproducer: struct param { uint8_t type; struct tiocl_selection ts; }; int main() { struct fb_con2fbmap con2fb; struct param param; int fd = open("/dev/fb1", 0, 0); con2fb.console = 0x19; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); param.type = 2; param.ts.xs = 0; param.ts.ys = 0; param.ts.xe = 0; param.ts.ye = 0; param.ts.sel_mode = 0; int fd1 = open("/dev/tty1", O_RDWR, 0); ioctl(fd1, TIOCLINUX, &param); con2fb.console = 1; con2fb.framebuffer = 0; ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb); return 0; } After calling ioctl(fd1, TIOCLINUX, &param), the subsequent ioctl(fd, FBIOPUT_CON2FBMAP, &con2fb) causes the kernel to follow a different execution path: set_con2fb_map -> con2fb_init_display -> fbcon_set_disp -> redraw_screen -> hide_cursor -> clear_selection -> highlight -> invert_screen -> do_update_region -> fbcon_putcs -> ops->putcs Since ops->putcs is a NULL pointer, this leads to a kernel panic. To prevent this, we need to call set_blitting_type() within set_con2fb_map() to properly initialize ops->putcs.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50048.html
CVE-2024-50048
https://bugzilla.suse.com/1232310
SUSE Bug 1232310

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointer before dereferencing se [WHAT & HOW] se is null checked previously in the same function, indicating it might be null; therefore, it must be checked when used again. This fixes 1 FORWARD_NULL issue reported by Coverity.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50049.html
CVE-2024-50049
https://bugzilla.suse.com/1232309
SUSE Bug 1232309

Описание

In the Linux kernel, the following vulnerability has been resolved: driver core: bus: Fix double free in driver API bus_register() For bus_register(), any error which happens after kset_register() will cause that @priv are freed twice, fixed by setting @priv with NULL after the first free.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50055.html
CVE-2024-50055
https://bugzilla.suse.com/1232329
SUSE Bug 1232329

Описание

In the Linux kernel, the following vulnerability has been resolved: serial: protect uart_port_dtr_rts() in uart_shutdown() too Commit af224ca2df29 (serial: core: Prevent unsafe uart port access, part 3) added few uport == NULL checks. It added one to uart_shutdown(), so the commit assumes, uport can be NULL in there. But right after that protection, there is an unprotected "uart_port_dtr_rts(uport, false);" call. That is invoked only if HUPCL is set, so I assume that is the reason why we do not see lots of these reports. Or it cannot be NULL at this point at all for some reason :P. Until the above is investigated, stay on the safe side and move this dereference to the if too. I got this inconsistency from Coverity under CID 1585130. Thanks.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50058.html
CVE-2024-50058
https://bugzilla.suse.com/1232285
SUSE Bug 1232285

Описание

In the Linux kernel, the following vulnerability has been resolved: ntb: ntb_hw_switchtec: Fix use after free vulnerability in switchtec_ntb_remove due to race condition In the switchtec_ntb_add function, it can call switchtec_ntb_init_sndev function, then &sndev->check_link_status_work is bound with check_link_status_work. switchtec_ntb_link_notification may be called to start the work. If we remove the module which will call switchtec_ntb_remove to make cleanup, it will free sndev through kfree(sndev), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | check_link_status_work switchtec_ntb_remove | kfree(sndev); | | if (sndev->link_force_down) | // use sndev Fix it by ensuring that the work is canceled before proceeding with the cleanup in switchtec_ntb_remove.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50059.html
CVE-2024-50059
https://bugzilla.suse.com/1232345
SUSE Bug 1232345
https://bugzilla.suse.com/1232348
SUSE Bug 1232348

Описание

In the Linux kernel, the following vulnerability has been resolved: i3c: master: cdns: Fix use after free vulnerability in cdns_i3c_master Driver Due to Race Condition In the cdns_i3c_master_probe function, &master->hj_work is bound with cdns_i3c_master_hj. And cdns_i3c_master_interrupt can call cnds_i3c_master_demux_ibis function to start the work. If we remove the module which will call cdns_i3c_master_remove to make cleanup, it will free master->base through i3c_master_unregister while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | cdns_i3c_master_hj cdns_i3c_master_remove | i3c_master_unregister(&master->base) | device_unregister(&master->dev) | device_release | //free master->base | | i3c_master_do_daa(&master->base) | //use master->base Fix it by ensuring that the work is canceled before proceeding with the cleanup in cdns_i3c_master_remove.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50061.html
CVE-2024-50061
https://bugzilla.suse.com/1232263
SUSE Bug 1232263

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs-srv: Avoid null pointer deref during path establishment For RTRS path establishment, RTRS client initiates and completes con_num of connections. After establishing all its connections, the information is exchanged between the client and server through the info_req message. During this exchange, it is essential that all connections have been established, and the state of the RTRS srv path is CONNECTED. So add these sanity checks, to make sure we detect and abort process in error scenarios to avoid null pointer deref.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50062.html
CVE-2024-50062
https://bugzilla.suse.com/1232232
SUSE Bug 1232232

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent tail call between progs attached to different hooks bpf progs can be attached to kernel functions, and the attached functions can take different parameters or return different return values. If prog attached to one kernel function tail calls prog attached to another kernel function, the ctx access or return value verification could be bypassed. For example, if prog1 is attached to func1 which takes only 1 parameter and prog2 is attached to func2 which takes two parameters. Since verifier assumes the bpf ctx passed to prog2 is constructed based on func2's prototype, verifier allows prog2 to access the second parameter from the bpf ctx passed to it. The problem is that verifier does not prevent prog1 from passing its bpf ctx to prog2 via tail call. In this case, the bpf ctx passed to prog2 is constructed from func1 instead of func2, that is, the assumption for ctx access verification is bypassed. Another example, if BPF LSM prog1 is attached to hook file_alloc_security, and BPF LSM prog2 is attached to hook bpf_lsm_audit_rule_known. Verifier knows the return value rules for these two hooks, e.g. it is legal for bpf_lsm_audit_rule_known to return positive number 1, and it is illegal for file_alloc_security to return positive number. So verifier allows prog2 to return positive number 1, but does not allow prog1 to return positive number. The problem is that verifier does not prevent prog1 from calling prog2 via tail call. In this case, prog2's return value 1 will be used as the return value for prog1's hook file_alloc_security. That is, the return value rule is bypassed. This patch adds restriction for tail call to prevent such bypasses.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50063.html
CVE-2024-50063
https://bugzilla.suse.com/1232435
SUSE Bug 1232435

Описание

In the Linux kernel, the following vulnerability has been resolved: uprobe: avoid out-of-bounds memory access of fetching args Uprobe needs to fetch args into a percpu buffer, and then copy to ring buffer to avoid non-atomic context problem. Sometimes user-space strings, arrays can be very large, but the size of percpu buffer is only page size. And store_trace_args() won't check whether these data exceeds a single page or not, caused out-of-bounds memory access. It could be reproduced by following steps: 1. build kernel with CONFIG_KASAN enabled 2. save follow program as test.c ``` \#include <stdio.h> \#include <stdlib.h> \#include <string.h> // If string length large than MAX_STRING_SIZE, the fetch_store_strlen() // will return 0, cause __get_data_size() return shorter size, and // store_trace_args() will not trigger out-of-bounds access. // So make string length less than 4096. \#define STRLEN 4093 void generate_string(char *str, int n) { int i; for (i = 0; i < n; ++i) { char c = i % 26 + 'a'; str[i] = c; } str[n-1] = '\0'; } void print_string(char *str) { printf("%s\n", str); } int main() { char tmp[STRLEN]; generate_string(tmp, STRLEN); print_string(tmp); return 0; } ``` 3. compile program `gcc -o test test.c` 4. get the offset of `print_string()` ``` objdump -t test | grep -w print_string 0000000000401199 g F .text 000000000000001b print_string ``` 5. configure uprobe with offset 0x1199 ``` off=0x1199 cd /sys/kernel/debug/tracing/ echo "p /root/test:${off} arg1=+0(%di):ustring arg2=\$comm arg3=+0(%di):ustring" > uprobe_events echo 1 > events/uprobes/enable echo 1 > tracing_on ``` 6. run `test`, and kasan will report error. ================================================================== BUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0 Write of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18 Hardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x55/0x70 print_address_description.constprop.0+0x27/0x310 kasan_report+0x10f/0x120 ? strncpy_from_user+0x1d6/0x1f0 strncpy_from_user+0x1d6/0x1f0 ? rmqueue.constprop.0+0x70d/0x2ad0 process_fetch_insn+0xb26/0x1470 ? __pfx_process_fetch_insn+0x10/0x10 ? _raw_spin_lock+0x85/0xe0 ? __pfx__raw_spin_lock+0x10/0x10 ? __pte_offset_map+0x1f/0x2d0 ? unwind_next_frame+0xc5f/0x1f80 ? arch_stack_walk+0x68/0xf0 ? is_bpf_text_address+0x23/0x30 ? kernel_text_address.part.0+0xbb/0xd0 ? __kernel_text_address+0x66/0xb0 ? unwind_get_return_address+0x5e/0xa0 ? __pfx_stack_trace_consume_entry+0x10/0x10 ? arch_stack_walk+0xa2/0xf0 ? _raw_spin_lock_irqsave+0x8b/0xf0 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? depot_alloc_stack+0x4c/0x1f0 ? _raw_spin_unlock_irqrestore+0xe/0x30 ? stack_depot_save_flags+0x35d/0x4f0 ? kasan_save_stack+0x34/0x50 ? kasan_save_stack+0x24/0x50 ? mutex_lock+0x91/0xe0 ? __pfx_mutex_lock+0x10/0x10 prepare_uprobe_buffer.part.0+0x2cd/0x500 uprobe_dispatcher+0x2c3/0x6a0 ? __pfx_uprobe_dispatcher+0x10/0x10 ? __kasan_slab_alloc+0x4d/0x90 handler_chain+0xdd/0x3e0 handle_swbp+0x26e/0x3d0 ? __pfx_handle_swbp+0x10/0x10 ? uprobe_pre_sstep_notifier+0x151/0x1b0 irqentry_exit_to_user_mode+0xe2/0x1b0 asm_exc_int3+0x39/0x40 RIP: 0033:0x401199 Code: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce RSP: 002b:00007ffdf00576a8 EFLAGS: 00000206 RAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2 RDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0 RBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20 R10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040 R13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000 </TASK> This commit enforces the buffer's maxlen less than a page-size to avoid store_trace_args() out-of-memory access.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50067.html
CVE-2024-50067
https://bugzilla.suse.com/1232416
SUSE Bug 1232416

Описание

In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: Fix use-after-free in gsm_cleanup_mux BUG: KASAN: slab-use-after-free in gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] Read of size 8 at addr ffff88815fe99c00 by task poc/3379 CPU: 0 UID: 0 PID: 3379 Comm: poc Not tainted 6.11.0+ #56 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <TASK> gsm_cleanup_mux+0x77b/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] __pfx_gsm_cleanup_mux+0x10/0x10 drivers/tty/n_gsm.c:3124 [n_gsm] __pfx_sched_clock_cpu+0x10/0x10 kernel/sched/clock.c:389 update_load_avg+0x1c1/0x27b0 kernel/sched/fair.c:4500 __pfx_min_vruntime_cb_rotate+0x10/0x10 kernel/sched/fair.c:846 __rb_insert_augmented+0x492/0xbf0 lib/rbtree.c:161 gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] _raw_spin_lock_irqsave+0x92/0xf0 arch/x86/include/asm/atomic.h:107 __pfx_gsmld_ioctl+0x10/0x10 drivers/tty/n_gsm.c:3822 [n_gsm] ktime_get+0x5e/0x140 kernel/time/timekeeping.c:195 ldsem_down_read+0x94/0x4e0 arch/x86/include/asm/atomic64_64.h:79 __pfx_ldsem_down_read+0x10/0x10 drivers/tty/tty_ldsem.c:338 __pfx_do_vfs_ioctl+0x10/0x10 fs/ioctl.c:805 tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 Allocated by task 65: gsm_data_alloc.constprop.0+0x27/0x190 drivers/tty/n_gsm.c:926 [n_gsm] gsm_send+0x2c/0x580 drivers/tty/n_gsm.c:819 [n_gsm] gsm1_receive+0x547/0xad0 drivers/tty/n_gsm.c:3038 [n_gsm] gsmld_receive_buf+0x176/0x280 drivers/tty/n_gsm.c:3609 [n_gsm] tty_ldisc_receive_buf+0x101/0x1e0 drivers/tty/tty_buffer.c:391 tty_port_default_receive_buf+0x61/0xa0 drivers/tty/tty_port.c:39 flush_to_ldisc+0x1b0/0x750 drivers/tty/tty_buffer.c:445 process_scheduled_works+0x2b0/0x10d0 kernel/workqueue.c:3229 worker_thread+0x3dc/0x950 kernel/workqueue.c:3391 kthread+0x2a3/0x370 kernel/kthread.c:389 ret_from_fork+0x2d/0x70 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:257 Freed by task 3367: kfree+0x126/0x420 mm/slub.c:4580 gsm_cleanup_mux+0x36c/0x7b0 drivers/tty/n_gsm.c:3160 [n_gsm] gsmld_ioctl+0x395/0x1450 drivers/tty/n_gsm.c:3408 [n_gsm] tty_ioctl+0x643/0x1100 drivers/tty/tty_io.c:2818 [Analysis] gsm_msg on the tx_ctrl_list or tx_data_list of gsm_mux can be freed by multi threads through ioctl,which leads to the occurrence of uaf. Protect it by gsm tx lock.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50073.html
CVE-2024-50073
https://bugzilla.suse.com/1225742
SUSE Bug 1225742
https://bugzilla.suse.com/1232520
SUSE Bug 1232520

Описание

In the Linux kernel, the following vulnerability has been resolved: parport: Proper fix for array out-of-bounds access The recent fix for array out-of-bounds accesses replaced sprintf() calls blindly with snprintf(). However, since snprintf() returns the would-be-printed size, not the actually output size, the length calculation can still go over the given limit. Use scnprintf() instead of snprintf(), which returns the actually output letters, for addressing the potential out-of-bounds access properly.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50074.html
CVE-2024-50074
https://bugzilla.suse.com/1232507
SUSE Bug 1232507

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix multiple init when debugfs is disabled If bt_debugfs is not created successfully, which happens if either CONFIG_DEBUG_FS or CONFIG_DEBUG_FS_ALLOW_ALL is unset, then iso_init() returns early and does not set iso_inited to true. This means that a subsequent call to iso_init() will result in duplicate calls to proto_register(), bt_sock_register(), etc. With CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, the duplicate call to proto_register() triggers this BUG(): list_add double add: new=ffffffffc0b280d0, prev=ffffffffbab56250, next=ffffffffc0b280d0. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:35! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 2 PID: 887 Comm: bluetoothd Not tainted 6.10.11-1-ao-desktop #1 RIP: 0010:__list_add_valid_or_report+0x9a/0xa0 ... __list_add_valid_or_report+0x9a/0xa0 proto_register+0x2b5/0x340 iso_init+0x23/0x150 [bluetooth] set_iso_socket_func+0x68/0x1b0 [bluetooth] kmem_cache_free+0x308/0x330 hci_sock_sendmsg+0x990/0x9e0 [bluetooth] __sock_sendmsg+0x7b/0x80 sock_write_iter+0x9a/0x110 do_iter_readv_writev+0x11d/0x220 vfs_writev+0x180/0x3e0 do_writev+0xca/0x100 ... This change removes the early return. The check for iso_debugfs being NULL was unnecessary, it is always NULL when iso_inited is false.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50077.html
CVE-2024-50077
https://bugzilla.suse.com/1232504
SUSE Bug 1232504

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Call iso_exit() on module unload If iso_init() has been called, iso_exit() must be called on module unload. Without that, the struct proto that iso_init() registered with proto_register() becomes invalid, which could cause unpredictable problems later. In my case, with CONFIG_LIST_HARDENED and CONFIG_BUG_ON_DATA_CORRUPTION enabled, loading the module again usually triggers this BUG(): list_add corruption. next->prev should be prev (ffffffffb5355fd0), but was 0000000000000068. (next=ffffffffc0a010d0). ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:29! Oops: invalid opcode: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 4159 Comm: modprobe Not tainted 6.10.11-4+bt2-ao-desktop #1 RIP: 0010:__list_add_valid_or_report+0x61/0xa0 ... __list_add_valid_or_report+0x61/0xa0 proto_register+0x299/0x320 hci_sock_init+0x16/0xc0 [bluetooth] bt_init+0x68/0xd0 [bluetooth] __pfx_bt_init+0x10/0x10 [bluetooth] do_one_initcall+0x80/0x2f0 do_init_module+0x8b/0x230 __do_sys_init_module+0x15f/0x190 do_syscall_64+0x68/0x110 ...

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50078.html
CVE-2024-50078
https://bugzilla.suse.com/1232503
SUSE Bug 1232503

Описание

In the Linux kernel, the following vulnerability has been resolved: blk-mq: setup queue ->tag_set before initializing hctx Commit 7b815817aa58 ("blk-mq: add helper for checking if one CPU is mapped to specified hctx") needs to check queue mapping via tag set in hctx's cpuhp handler. However, q->tag_set may not be setup yet when the cpuhp handler is enabled, then kernel oops is triggered. Fix the issue by setup queue tag_set before initializing hctx.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50081.html
CVE-2024-50081
https://bugzilla.suse.com/1232501
SUSE Bug 1232501

Описание

In the Linux kernel, the following vulnerability has been resolved: blk-rq-qos: fix crash on rq_qos_wait vs. rq_qos_wake_function race We're seeing crashes from rq_qos_wake_function that look like this: BUG: unable to handle page fault for address: ffffafe180a40084 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 100000067 P4D 100000067 PUD 10027c067 PMD 10115d067 PTE 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 17 UID: 0 PID: 0 Comm: swapper/17 Not tainted 6.12.0-rc3-00013-geca631b8fe80 #11 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 RIP: 0010:_raw_spin_lock_irqsave+0x1d/0x40 Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00 41 54 9c 41 5c fa 65 ff 05 62 97 30 4c 31 c0 ba 01 00 00 00 <f0> 0f b1 17 75 0a 4c 89 e0 41 5c c3 cc cc cc cc 89 c6 e8 2c 0b 00 RSP: 0018:ffffafe180580ca0 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffffafe180a3f7a8 RCX: 0000000000000011 RDX: 0000000000000001 RSI: 0000000000000003 RDI: ffffafe180a40084 RBP: 0000000000000000 R08: 00000000001e7240 R09: 0000000000000011 R10: 0000000000000028 R11: 0000000000000888 R12: 0000000000000002 R13: ffffafe180a40084 R14: 0000000000000000 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff9aaf1f280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffafe180a40084 CR3: 000000010e428002 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> try_to_wake_up+0x5a/0x6a0 rq_qos_wake_function+0x71/0x80 __wake_up_common+0x75/0xa0 __wake_up+0x36/0x60 scale_up.part.0+0x50/0x110 wb_timer_fn+0x227/0x450 ... So rq_qos_wake_function() calls wake_up_process(data->task), which calls try_to_wake_up(), which faults in raw_spin_lock_irqsave(&p->pi_lock). p comes from data->task, and data comes from the waitqueue entry, which is stored on the waiter's stack in rq_qos_wait(). Analyzing the core dump with drgn, I found that the waiter had already woken up and moved on to a completely unrelated code path, clobbering what was previously data->task. Meanwhile, the waker was passing the clobbered garbage in data->task to wake_up_process(), leading to the crash. What's happening is that in between rq_qos_wake_function() deleting the waitqueue entry and calling wake_up_process(), rq_qos_wait() is finding that it already got a token and returning. The race looks like this: rq_qos_wait() rq_qos_wake_function() ============================================================== prepare_to_wait_exclusive() data->got_token = true; list_del_init(&curr->entry); if (data.got_token) break; finish_wait(&rqw->wait, &data.wq); ^- returns immediately because list_empty_careful(&wq_entry->entry) is true ... return, go do something else ... wake_up_process(data->task) (NO LONGER VALID!)-^ Normally, finish_wait() is supposed to synchronize against the waker. But, as noted above, it is returning immediately because the waitqueue entry has already been removed from the waitqueue. The bug is that rq_qos_wake_function() is accessing the waitqueue entry AFTER deleting it. Note that autoremove_wake_function() wakes the waiter and THEN deletes the waitqueue entry, which is the proper order. Fix it by swapping the order. We also need to use list_del_init_careful() to match the list_empty_careful() in finish_wait().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50082.html
CVE-2024-50082
https://bugzilla.suse.com/1232500
SUSE Bug 1232500

Описание

** REJECT ** This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50089.html
CVE-2024-50089
https://bugzilla.suse.com/1232860
SUSE Bug 1232860
https://bugzilla.suse.com/1233250
SUSE Bug 1233250

Описание

In the Linux kernel, the following vulnerability has been resolved: thermal: intel: int340x: processor: Fix warning during module unload The processor_thermal driver uses pcim_device_enable() to enable a PCI device, which means the device will be automatically disabled on driver detach. Thus there is no need to call pci_disable_device() again on it. With recent PCI device resource management improvements, e.g. commit f748a07a0b64 ("PCI: Remove legacy pcim_release()"), this problem is exposed and triggers the warining below. [ 224.010735] proc_thermal_pci 0000:00:04.0: disabling already-disabled device [ 224.010747] WARNING: CPU: 8 PID: 4442 at drivers/pci/pci.c:2250 pci_disable_device+0xe5/0x100 ... [ 224.010844] Call Trace: [ 224.010845] <TASK> [ 224.010847] ? show_regs+0x6d/0x80 [ 224.010851] ? __warn+0x8c/0x140 [ 224.010854] ? pci_disable_device+0xe5/0x100 [ 224.010856] ? report_bug+0x1c9/0x1e0 [ 224.010859] ? handle_bug+0x46/0x80 [ 224.010862] ? exc_invalid_op+0x1d/0x80 [ 224.010863] ? asm_exc_invalid_op+0x1f/0x30 [ 224.010867] ? pci_disable_device+0xe5/0x100 [ 224.010869] ? pci_disable_device+0xe5/0x100 [ 224.010871] ? kfree+0x21a/0x2b0 [ 224.010873] pcim_disable_device+0x20/0x30 [ 224.010875] devm_action_release+0x16/0x20 [ 224.010878] release_nodes+0x47/0xc0 [ 224.010880] devres_release_all+0x9f/0xe0 [ 224.010883] device_unbind_cleanup+0x12/0x80 [ 224.010885] device_release_driver_internal+0x1ca/0x210 [ 224.010887] driver_detach+0x4e/0xa0 [ 224.010889] bus_remove_driver+0x6f/0xf0 [ 224.010890] driver_unregister+0x35/0x60 [ 224.010892] pci_unregister_driver+0x44/0x90 [ 224.010894] proc_thermal_pci_driver_exit+0x14/0x5f0 [processor_thermal_device_pci] ... [ 224.010921] ---[ end trace 0000000000000000 ]--- Remove the excess pci_disable_device() calls. [ rjw: Subject and changelog edits ]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50093.html
CVE-2024-50093
https://bugzilla.suse.com/1232877
SUSE Bug 1232877

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/mad: Improve handling of timed out WRs of mad agent Current timeout handler of mad agent acquires/releases mad_agent_priv lock for every timed out WRs. This causes heavy locking contention when higher no. of WRs are to be handled inside timeout handler. This leads to softlockup with below trace in some use cases where rdma-cm path is used to establish connection between peer nodes Trace: ----- BUG: soft lockup - CPU#4 stuck for 26s! [kworker/u128:3:19767] CPU: 4 PID: 19767 Comm: kworker/u128:3 Kdump: loaded Tainted: G OE ------- --- 5.14.0-427.13.1.el9_4.x86_64 #1 Hardware name: Dell Inc. PowerEdge R740/01YM03, BIOS 2.4.8 11/26/2019 Workqueue: ib_mad1 timeout_sends [ib_core] RIP: 0010:__do_softirq+0x78/0x2ac RSP: 0018:ffffb253449e4f98 EFLAGS: 00000246 RAX: 00000000ffffffff RBX: 0000000000000000 RCX: 000000000000001f RDX: 000000000000001d RSI: 000000003d1879ab RDI: fff363b66fd3a86b RBP: ffffb253604cbcd8 R08: 0000009065635f3b R09: 0000000000000000 R10: 0000000000000040 R11: ffffb253449e4ff8 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000040 FS: 0000000000000000(0000) GS:ffff8caa1fc80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd9ec9db900 CR3: 0000000891934006 CR4: 00000000007706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <IRQ> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __irq_exit_rcu+0xa1/0xc0 ? watchdog_timer_fn+0x1b2/0x210 ? __pfx_watchdog_timer_fn+0x10/0x10 ? __hrtimer_run_queues+0x127/0x2c0 ? hrtimer_interrupt+0xfc/0x210 ? __sysvec_apic_timer_interrupt+0x5c/0x110 ? sysvec_apic_timer_interrupt+0x37/0x90 ? asm_sysvec_apic_timer_interrupt+0x16/0x20 ? __do_softirq+0x78/0x2ac ? __do_softirq+0x60/0x2ac __irq_exit_rcu+0xa1/0xc0 sysvec_call_function_single+0x72/0x90 </IRQ> <TASK> asm_sysvec_call_function_single+0x16/0x20 RIP: 0010:_raw_spin_unlock_irq+0x14/0x30 RSP: 0018:ffffb253604cbd88 EFLAGS: 00000247 RAX: 000000000001960d RBX: 0000000000000002 RCX: ffff8cad2a064800 RDX: 000000008020001b RSI: 0000000000000001 RDI: ffff8cad5d39f66c RBP: ffff8cad5d39f600 R08: 0000000000000001 R09: 0000000000000000 R10: ffff8caa443e0c00 R11: ffffb253604cbcd8 R12: ffff8cacb8682538 R13: 0000000000000005 R14: ffffb253604cbd90 R15: ffff8cad5d39f66c cm_process_send_error+0x122/0x1d0 [ib_cm] timeout_sends+0x1dd/0x270 [ib_core] process_one_work+0x1e2/0x3b0 ? __pfx_worker_thread+0x10/0x10 worker_thread+0x50/0x3a0 ? __pfx_worker_thread+0x10/0x10 kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK> Simplified timeout handler by creating local list of timed out WRs and invoke send handler post creating the list. The new method acquires/ releases lock once to fetch the list and hence helps to reduce locking contetiong when processing higher no. of WRs

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50095.html
CVE-2024-50095
https://bugzilla.suse.com/1232873
SUSE Bug 1232873

Описание

In the Linux kernel, the following vulnerability has been resolved: nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error The `nouveau_dmem_copy_one` function ensures that the copy push command is sent to the device firmware but does not track whether it was executed successfully. In the case of a copy error (e.g., firmware or hardware failure), the copy push command will be sent via the firmware channel, and `nouveau_dmem_copy_one` will likely report success, leading to the `migrate_to_ram` function returning a dirty HIGH_USER page to the user. This can result in a security vulnerability, as a HIGH_USER page that may contain sensitive or corrupted data could be returned to the user. To prevent this vulnerability, we allocate a zero page. Thus, in case of an error, a non-dirty (zero) page will be returned to the user.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50096.html
CVE-2024-50096
https://bugzilla.suse.com/1232870
SUSE Bug 1232870

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Set SDEV_OFFLINE when UFS is shut down There is a history of deadlock if reboot is performed at the beginning of booting. SDEV_QUIESCE was set for all LU's scsi_devices by UFS shutdown, and at that time the audio driver was waiting on blk_mq_submit_bio() holding a mutex_lock while reading the fw binary. After that, a deadlock issue occurred while audio driver shutdown was waiting for mutex_unlock of blk_mq_submit_bio(). To solve this, set SDEV_OFFLINE for all LUs except WLUN, so that any I/O that comes down after a UFS shutdown will return an error. [ 31.907781]I[0: swapper/0: 0] 1 130705007 1651079834 11289729804 0 D( 2) 3 ffffff882e208000 * init [device_shutdown] [ 31.907793]I[0: swapper/0: 0] Mutex: 0xffffff8849a2b8b0: owner[0xffffff882e28cb00 kworker/6:0 :49] [ 31.907806]I[0: swapper/0: 0] Call trace: [ 31.907810]I[0: swapper/0: 0] __switch_to+0x174/0x338 [ 31.907819]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc [ 31.907826]I[0: swapper/0: 0] schedule+0x7c/0xe8 [ 31.907834]I[0: swapper/0: 0] schedule_preempt_disabled+0x24/0x40 [ 31.907842]I[0: swapper/0: 0] __mutex_lock+0x408/0xdac [ 31.907849]I[0: swapper/0: 0] __mutex_lock_slowpath+0x14/0x24 [ 31.907858]I[0: swapper/0: 0] mutex_lock+0x40/0xec [ 31.907866]I[0: swapper/0: 0] device_shutdown+0x108/0x280 [ 31.907875]I[0: swapper/0: 0] kernel_restart+0x4c/0x11c [ 31.907883]I[0: swapper/0: 0] __arm64_sys_reboot+0x15c/0x280 [ 31.907890]I[0: swapper/0: 0] invoke_syscall+0x70/0x158 [ 31.907899]I[0: swapper/0: 0] el0_svc_common+0xb4/0xf4 [ 31.907909]I[0: swapper/0: 0] do_el0_svc+0x2c/0xb0 [ 31.907918]I[0: swapper/0: 0] el0_svc+0x34/0xe0 [ 31.907928]I[0: swapper/0: 0] el0t_64_sync_handler+0x68/0xb4 [ 31.907937]I[0: swapper/0: 0] el0t_64_sync+0x1a0/0x1a4 [ 31.908774]I[0: swapper/0: 0] 49 0 11960702 11236868007 0 D( 2) 6 ffffff882e28cb00 * kworker/6:0 [__bio_queue_enter] [ 31.908783]I[0: swapper/0: 0] Call trace: [ 31.908788]I[0: swapper/0: 0] __switch_to+0x174/0x338 [ 31.908796]I[0: swapper/0: 0] __schedule+0x5ec/0x9cc [ 31.908803]I[0: swapper/0: 0] schedule+0x7c/0xe8 [ 31.908811]I[0: swapper/0: 0] __bio_queue_enter+0xb8/0x178 [ 31.908818]I[0: swapper/0: 0] blk_mq_submit_bio+0x194/0x67c [ 31.908827]I[0: swapper/0: 0] __submit_bio+0xb8/0x19c

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50098.html
CVE-2024-50098
https://bugzilla.suse.com/1232881
SUSE Bug 1232881

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Remove broken LDR (literal) uprobe support The simulate_ldr_literal() and simulate_ldrsw_literal() functions are unsafe to use for uprobes. Both functions were originally written for use with kprobes, and access memory with plain C accesses. When uprobes was added, these were reused unmodified even though they cannot safely access user memory. There are three key problems: 1) The plain C accesses do not have corresponding extable entries, and thus if they encounter a fault the kernel will treat these as unintentional accesses to user memory, resulting in a BUG() which will kill the kernel thread, and likely lead to further issues (e.g. lockup or panic()). 2) The plain C accesses are subject to HW PAN and SW PAN, and so when either is in use, any attempt to simulate an access to user memory will fault. Thus neither simulate_ldr_literal() nor simulate_ldrsw_literal() can do anything useful when simulating a user instruction on any system with HW PAN or SW PAN. 3) The plain C accesses are privileged, as they run in kernel context, and in practice can access a small range of kernel virtual addresses. The instructions they simulate have a range of +/-1MiB, and since the simulated instructions must itself be a user instructions in the TTBR0 address range, these can address the final 1MiB of the TTBR1 acddress range by wrapping downwards from an address in the first 1MiB of the TTBR0 address range. In contemporary kernels the last 8MiB of TTBR1 address range is reserved, and accesses to this will always fault, meaning this is no worse than (1). Historically, it was theoretically possible for the linear map or vmemmap to spill into the final 8MiB of the TTBR1 address range, but in practice this is extremely unlikely to occur as this would require either: * Having enough physical memory to fill the entire linear map all the way to the final 1MiB of the TTBR1 address range. * Getting unlucky with KASLR randomization of the linear map such that the populated region happens to overlap with the last 1MiB of the TTBR address range. ... and in either case if we were to spill into the final page there would be larger problems as the final page would alias with error pointers. Practically speaking, (1) and (2) are the big issues. Given there have been no reports of problems since the broken code was introduced, it appears that no-one is relying on probing these instructions with uprobes. Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW (literal), limiting the use of simulate_ldr_literal() and simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR (literal) and LDRSW (literal) will be rejected as arm_probe_decode_insn() will return INSN_REJECTED. In future we can consider introducing working uprobes support for these instructions, but this will require more significant work.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50099.html
CVE-2024-50099
https://bugzilla.suse.com/1232887
SUSE Bug 1232887

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() A devm_kzalloc() in asoc_qcom_lpass_cpu_platform_probe() could possibly return NULL pointer. NULL Pointer Dereference may be triggerred without addtional check. Add a NULL check for the returned pointer.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50103.html
CVE-2024-50103
https://bugzilla.suse.com/1232878
SUSE Bug 1232878

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Disable PSR-SU on Parade 08-01 TCON too Stuart Hayhurst has found that both at bootup and fullscreen VA-API video is leading to black screens for around 1 second and kernel WARNING [1] traces when calling dmub_psr_enable() with Parade 08-01 TCON. These symptoms all go away with PSR-SU disabled for this TCON, so disable it for now while DMUB traces [2] from the failure can be analyzed and the failure state properly root caused. (cherry picked from commit afb634a6823d8d9db23c5fb04f79c5549349628b)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50108.html
CVE-2024-50108
https://bugzilla.suse.com/1232884
SUSE Bug 1232884

Описание

In the Linux kernel, the following vulnerability has been resolved: xfrm: fix one more kernel-infoleak in algo dumping During fuzz testing, the following issue was discovered: BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30 _copy_to_iter+0x598/0x2a30 __skb_datagram_iter+0x168/0x1060 skb_copy_datagram_iter+0x5b/0x220 netlink_recvmsg+0x362/0x1700 sock_recvmsg+0x2dc/0x390 __sys_recvfrom+0x381/0x6d0 __x64_sys_recvfrom+0x130/0x200 x64_sys_call+0x32c8/0x3cc0 do_syscall_64+0xd8/0x1c0 entry_SYSCALL_64_after_hwframe+0x79/0x81 Uninit was stored to memory at: copy_to_user_state_extra+0xcc1/0x1e00 dump_one_state+0x28c/0x5f0 xfrm_state_walk+0x548/0x11e0 xfrm_dump_sa+0x1e0/0x840 netlink_dump+0x943/0x1c40 __netlink_dump_start+0x746/0xdb0 xfrm_user_rcv_msg+0x429/0xc00 netlink_rcv_skb+0x613/0x780 xfrm_netlink_rcv+0x77/0xc0 netlink_unicast+0xe90/0x1280 netlink_sendmsg+0x126d/0x1490 __sock_sendmsg+0x332/0x3d0 ____sys_sendmsg+0x863/0xc30 ___sys_sendmsg+0x285/0x3e0 __x64_sys_sendmsg+0x2d6/0x560 x64_sys_call+0x1316/0x3cc0 do_syscall_64+0xd8/0x1c0 entry_SYSCALL_64_after_hwframe+0x79/0x81 Uninit was created at: __kmalloc+0x571/0xd30 attach_auth+0x106/0x3e0 xfrm_add_sa+0x2aa0/0x4230 xfrm_user_rcv_msg+0x832/0xc00 netlink_rcv_skb+0x613/0x780 xfrm_netlink_rcv+0x77/0xc0 netlink_unicast+0xe90/0x1280 netlink_sendmsg+0x126d/0x1490 __sock_sendmsg+0x332/0x3d0 ____sys_sendmsg+0x863/0xc30 ___sys_sendmsg+0x285/0x3e0 __x64_sys_sendmsg+0x2d6/0x560 x64_sys_call+0x1316/0x3cc0 do_syscall_64+0xd8/0x1c0 entry_SYSCALL_64_after_hwframe+0x79/0x81 Bytes 328-379 of 732 are uninitialized Memory access of size 732 starts at ffff88800e18e000 Data copied to user address 00007ff30f48aff0 CPU: 2 PID: 18167 Comm: syz-executor.0 Not tainted 6.8.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Fixes copying of xfrm algorithms where some random data of the structure fields can end up in userspace. Padding in structures may be filled with random (possibly sensitve) data and should never be given directly to user-space. A similar issue was resolved in the commit 8222d5910dae ("xfrm: Zero padding when dumping algos and encap") Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50110.html
CVE-2024-50110
https://bugzilla.suse.com/1232885
SUSE Bug 1232885

Описание

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits 4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn't enforce 32-byte alignment of nCR3. In the absolute worst case scenario, failure to ignore bits 4:0 can result in an out-of-bounds read, e.g. if the target page is at the end of a memslot, and the VMM isn't using guard pages. Per the APM: The CR3 register points to the base address of the page-directory-pointer table. The page-directory-pointer table is aligned on a 32-byte boundary, with the low 5 address bits 4:0 assumed to be 0. And the SDM's much more explicit: 4:0 Ignored Note, KVM gets this right when loading PDPTRs, it's only the nSVM flow that is broken.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50115.html
CVE-2024-50115
https://bugzilla.suse.com/1225742
SUSE Bug 1225742
https://bugzilla.suse.com/1232919
SUSE Bug 1232919
https://bugzilla.suse.com/1233019
SUSE Bug 1233019

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix kernel bug due to missing clearing of buffer delay flag Syzbot reported that after nilfs2 reads a corrupted file system image and degrades to read-only, the BUG_ON check for the buffer delay flag in submit_bh_wbc() may fail, causing a kernel bug. This is because the buffer delay flag is not cleared when clearing the buffer state flags to discard a page/folio or a buffer head. So, fix this. This became necessary when the use of nilfs2's own page clear routine was expanded. This state inconsistency does not occur if the buffer is written normally by log writing.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50116.html
CVE-2024-50116
https://bugzilla.suse.com/1232892
SUSE Bug 1232892

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amd: Guard against bad data for ATIF ACPI method If a BIOS provides bad data in response to an ATIF method call this causes a NULL pointer dereference in the caller. ``` ? show_regs (arch/x86/kernel/dumpstack.c:478 (discriminator 1)) ? __die (arch/x86/kernel/dumpstack.c:423 arch/x86/kernel/dumpstack.c:434) ? page_fault_oops (arch/x86/mm/fault.c:544 (discriminator 2) arch/x86/mm/fault.c:705 (discriminator 2)) ? do_user_addr_fault (arch/x86/mm/fault.c:440 (discriminator 1) arch/x86/mm/fault.c:1232 (discriminator 1)) ? acpi_ut_update_object_reference (drivers/acpi/acpica/utdelete.c:642) ? exc_page_fault (arch/x86/mm/fault.c:1542) ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623) ? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:387 (discriminator 2)) amdgpu ? amdgpu_atif_query_backlight_caps.constprop.0 (drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c:386 (discriminator 1)) amdgpu ``` It has been encountered on at least one system, so guard for it. (cherry picked from commit c9b7c809b89f24e9372a4e7f02d64c950b07fdee)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50117.html
CVE-2024-50117
https://bugzilla.suse.com/1232897
SUSE Bug 1232897

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix UAF on iso_sock_timeout conn->sk maybe have been unlinked/freed while waiting for iso_conn_lock so this checks if the conn->sk is still valid by checking if it part of iso_sk_list.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50124.html
CVE-2024-50124
https://bugzilla.suse.com/1232926
SUSE Bug 1232926
https://bugzilla.suse.com/1232927
SUSE Bug 1232927

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_sock_timeout conn->sk maybe have been unlinked/freed while waiting for sco_conn_lock so this checks if the conn->sk is still valid by checking if it part of sco_sk_list.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50125.html
CVE-2024-50125
https://bugzilla.suse.com/1232928
SUSE Bug 1232928
https://bugzilla.suse.com/1232929
SUSE Bug 1232929

Описание

In the Linux kernel, the following vulnerability has been resolved: net: sched: fix use-after-free in taprio_change() In 'taprio_change()', 'admin' pointer may become dangling due to sched switch / removal caused by 'advance_sched()', and critical section protected by 'q->current_entry_lock' is too small to prevent from such a scenario (which causes use-after-free detected by KASAN). Fix this by prefer 'rcu_replace_pointer()' over 'rcu_assign_pointer()' to update 'admin' immediately before an attempt to schedule freeing.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50127.html
CVE-2024-50127
https://bugzilla.suse.com/1232907
SUSE Bug 1232907
https://bugzilla.suse.com/1232908
SUSE Bug 1232908

Описание

In the Linux kernel, the following vulnerability has been resolved: net: wwan: fix global oob in wwan_rtnl_policy The variable wwan_rtnl_link_ops assign a *bigger* maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. Exactly same bug cause as the oob fixed in commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"). ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:388 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603 Read of size 1 at addr ffffffff8b09cb60 by task syz.1.66276/323862 CPU: 0 PID: 323862 Comm: syz.1.66276 Not tainted 6.1.70 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x14f/0x750 mm/kasan/report.c:395 kasan_report+0x139/0x170 mm/kasan/report.c:495 validate_nla lib/nlattr.c:388 [inline] __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603 __nla_parse+0x3c/0x50 lib/nlattr.c:700 nla_parse_nested_deprecated include/net/netlink.h:1269 [inline] __rtnl_newlink net/core/rtnetlink.c:3514 [inline] rtnl_newlink+0x7bc/0x1fd0 net/core/rtnetlink.c:3623 rtnetlink_rcv_msg+0x794/0xef0 net/core/rtnetlink.c:6122 netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508 netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline] netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352 netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874 sock_sendmsg_nosec net/socket.c:716 [inline] __sock_sendmsg net/socket.c:728 [inline] ____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499 ___sys_sendmsg+0x21c/0x290 net/socket.c:2553 __sys_sendmsg net/socket.c:2582 [inline] __do_sys_sendmsg net/socket.c:2591 [inline] __se_sys_sendmsg+0x19e/0x270 net/socket.c:2589 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f67b19a24ad RSP: 002b:00007f67b17febb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f67b1b45f80 RCX: 00007f67b19a24ad RDX: 0000000000000000 RSI: 0000000020005e40 RDI: 0000000000000004 RBP: 00007f67b1a1e01d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd2513764f R14: 00007ffd251376e0 R15: 00007f67b17fed40 </TASK> The buggy address belongs to the variable: wwan_rtnl_policy+0x20/0x40 The buggy address belongs to the physical page: page:ffffea00002c2700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb09c flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000001000 ffffea00002c2708 ffffea00002c2708 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner info is not present (never set?) Memory state around the buggy address: ffffffff8b09ca00: 05 f9 f9 f9 05 f9 f9 f9 00 01 f9 f9 00 01 f9 f9 ffffffff8b09ca80: 00 00 00 05 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9 >ffffffff8b09cb00: 00 00 00 00 05 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 ^ ffffffff8b09cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== According to the comment of `nla_parse_nested_deprecated`, use correct size `IFLA_WWAN_MAX` here to fix this issue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50128.html
CVE-2024-50128
https://bugzilla.suse.com/1232905
SUSE Bug 1232905

Описание

In the Linux kernel, the following vulnerability has been resolved: tracing: Consider the NULL character when validating the event length strlen() returns a string length excluding the null byte. If the string length equals to the maximum buffer length, the buffer will have no space for the NULL terminating character. This commit checks this condition and returns failure for it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50131.html
CVE-2024-50131
https://bugzilla.suse.com/1232896
SUSE Bug 1232896

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Replace the fake VLA at end of the vbva_mouse_pointer_shape shape with a real VLA to fix a "memcpy: detected field-spanning write error" warning: [ 13.319813] memcpy: detected field-spanning write (size 16896) of single field "p->data" at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 (size 4) [ 13.319841] WARNING: CPU: 0 PID: 1105 at drivers/gpu/drm/vboxvideo/hgsmi_base.c:154 hgsmi_update_pointer_shape+0x192/0x1c0 [vboxvideo] [ 13.320038] Call Trace: [ 13.320173] hgsmi_update_pointer_shape [vboxvideo] [ 13.320184] vbox_cursor_atomic_update [vboxvideo] Note as mentioned in the added comment it seems the original length calculation for the allocated and send hgsmi buffer is 4 bytes too large. Changing this is not the goal of this patch, so this behavior is kept.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50134.html
CVE-2024-50134
https://bugzilla.suse.com/1232890
SUSE Bug 1232890

Описание

In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix race condition between reset and nvme_dev_disable() nvme_dev_disable() modifies the dev->online_queues field, therefore nvme_pci_update_nr_queues() should avoid racing against it, otherwise we could end up passing invalid values to blk_mq_update_nr_hw_queues(). WARNING: CPU: 39 PID: 61303 at drivers/pci/msi/api.c:347 pci_irq_get_affinity+0x187/0x210 Workqueue: nvme-reset-wq nvme_reset_work [nvme] RIP: 0010:pci_irq_get_affinity+0x187/0x210 Call Trace: <TASK> ? blk_mq_pci_map_queues+0x87/0x3c0 ? pci_irq_get_affinity+0x187/0x210 blk_mq_pci_map_queues+0x87/0x3c0 nvme_pci_map_queues+0x189/0x460 [nvme] blk_mq_update_nr_hw_queues+0x2a/0x40 nvme_reset_work+0x1be/0x2a0 [nvme] Fix the bug by locking the shutdown_lock mutex before using dev->online_queues. Give up if nvme_dev_disable() is running or if it has been executed already.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50135.html
CVE-2024-50135
https://bugzilla.suse.com/1232888
SUSE Bug 1232888

Описание

In the Linux kernel, the following vulnerability has been resolved: bpf: Use raw_spinlock_t in ringbuf The function __bpf_ringbuf_reserve is invoked from a tracepoint, which disables preemption. Using spinlock_t in this context can lead to a "sleep in atomic" warning in the RT variant. This issue is illustrated in the example below: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 556208, name: test_progs preempt_count: 1, expected: 0 RCU nest depth: 1, expected: 1 INFO: lockdep is turned off. Preemption disabled at: [<ffffd33a5c88ea44>] migrate_enable+0xc0/0x39c CPU: 7 PID: 556208 Comm: test_progs Tainted: G Hardware name: Qualcomm SA8775P Ride (DT) Call trace: dump_backtrace+0xac/0x130 show_stack+0x1c/0x30 dump_stack_lvl+0xac/0xe8 dump_stack+0x18/0x30 __might_resched+0x3bc/0x4fc rt_spin_lock+0x8c/0x1a4 __bpf_ringbuf_reserve+0xc4/0x254 bpf_ringbuf_reserve_dynptr+0x5c/0xdc bpf_prog_ac3d15160d62622a_test_read_write+0x104/0x238 trace_call_bpf+0x238/0x774 perf_call_bpf_enter.isra.0+0x104/0x194 perf_syscall_enter+0x2f8/0x510 trace_sys_enter+0x39c/0x564 syscall_trace_enter+0x220/0x3c0 do_el0_svc+0x138/0x1dc el0_svc+0x54/0x130 el0t_64_sync_handler+0x134/0x150 el0t_64_sync+0x17c/0x180 Switch the spinlock to raw_spinlock_t to avoid this error.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50138.html
CVE-2024-50138
https://bugzilla.suse.com/1232935
SUSE Bug 1232935

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: PRM: Find EFI_MEMORY_RUNTIME block for PRM handler and context PRMT needs to find the correct type of block to translate the PA-VA mapping for EFI runtime services. The issue arises because the PRMT is finding a block of type EFI_CONVENTIONAL_MEMORY, which is not appropriate for runtime services as described in Section 2.2.2 (Runtime Services) of the UEFI Specification [1]. Since the PRM handler is a type of runtime service, this causes an exception when the PRM handler is called. [Firmware Bug]: Unable to handle paging request in EFI runtime service WARNING: CPU: 22 PID: 4330 at drivers/firmware/efi/runtime-wrappers.c:341 __efi_queue_work+0x11c/0x170 Call trace: Let PRMT find a block with EFI_MEMORY_RUNTIME for PRM handler and PRM context. If no suitable block is found, a warning message will be printed, but the procedure continues to manage the next PRM handler. However, if the PRM handler is actually called without proper allocation, it would result in a failure during error handling. By using the correct memory types for runtime services, ensure that the PRM handler and the context are properly mapped in the virtual address space during runtime, preventing the paging request error. The issue is really that only memory that has been remapped for runtime by the firmware can be used by the PRM handler, and so the region needs to have the EFI_MEMORY_RUNTIME attribute. [ rjw: Subject and changelog edits ]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50141.html
CVE-2024-50141
https://bugzilla.suse.com/1233065
SUSE Bug 1233065

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don't call cleanup on profile rollback failure When profile rollback fails in mlx5e_netdev_change_profile, the netdev profile var is left set to NULL. Avoid a crash when unloading the driver by not calling profile->cleanup in such a case. This was encountered while testing, with the original trigger that the wq rescuer thread creation got interrupted (presumably due to Ctrl+C-ing modprobe), which gets converted to ENOMEM (-12) by mlx5e_priv_init, the profile rollback also fails for the same reason (signal still active) so the profile is left as NULL, leading to a crash later in _mlx5e_remove. [ 732.473932] mlx5_core 0000:08:00.1: E-Switch: Unload vfs: mode(OFFLOADS), nvfs(2), necvfs(0), active vports(2) [ 734.525513] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.557372] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.559187] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: new profile init failed, -12 [ 734.560153] workqueue: Failed to create a rescuer kthread for wq "mlx5e": -EINTR [ 734.589378] mlx5_core 0000:08:00.1: mlx5e_netdev_init_profile:6235:(pid 6086): mlx5e_priv_init failed, err=-12 [ 734.591136] mlx5_core 0000:08:00.1 eth3: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 [ 745.537492] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 745.538222] #PF: supervisor read access in kernel mode <snipped> [ 745.551290] Call Trace: [ 745.551590] <TASK> [ 745.551866] ? __die+0x20/0x60 [ 745.552218] ? page_fault_oops+0x150/0x400 [ 745.555307] ? exc_page_fault+0x79/0x240 [ 745.555729] ? asm_exc_page_fault+0x22/0x30 [ 745.556166] ? mlx5e_remove+0x6b/0xb0 [mlx5_core] [ 745.556698] auxiliary_bus_remove+0x18/0x30 [ 745.557134] device_release_driver_internal+0x1df/0x240 [ 745.557654] bus_remove_device+0xd7/0x140 [ 745.558075] device_del+0x15b/0x3c0 [ 745.558456] mlx5_rescan_drivers_locked.part.0+0xb1/0x2f0 [mlx5_core] [ 745.559112] mlx5_unregister_device+0x34/0x50 [mlx5_core] [ 745.559686] mlx5_uninit_one+0x46/0xf0 [mlx5_core] [ 745.560203] remove_one+0x4e/0xd0 [mlx5_core] [ 745.560694] pci_device_remove+0x39/0xa0 [ 745.561112] device_release_driver_internal+0x1df/0x240 [ 745.561631] driver_detach+0x47/0x90 [ 745.562022] bus_remove_driver+0x84/0x100 [ 745.562444] pci_unregister_driver+0x3b/0x90 [ 745.562890] mlx5_cleanup+0xc/0x1b [mlx5_core] [ 745.563415] __x64_sys_delete_module+0x14d/0x2f0 [ 745.563886] ? kmem_cache_free+0x1b0/0x460 [ 745.564313] ? lockdep_hardirqs_on_prepare+0xe2/0x190 [ 745.564825] do_syscall_64+0x6d/0x140 [ 745.565223] entry_SYSCALL_64_after_hwframe+0x4b/0x53 [ 745.565725] RIP: 0033:0x7f1579b1288b

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50146.html
CVE-2024-50146
https://bugzilla.suse.com/1233056
SUSE Bug 1233056

Описание

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix command bitmask initialization Command bitmask have a dedicated bit for MANAGE_PAGES command, this bit isn't Initialize during command bitmask Initialization, only during MANAGE_PAGES. In addition, mlx5_cmd_trigger_completions() is trying to trigger completion for MANAGE_PAGES command as well. Hence, in case health error occurred before any MANAGE_PAGES command have been invoke (for example, during mlx5_enable_hca()), mlx5_cmd_trigger_completions() will try to trigger completion for MANAGE_PAGES command, which will result in null-ptr-deref error.[1] Fix it by Initialize command bitmask correctly. While at it, re-write the code for better understanding. [1] BUG: KASAN: null-ptr-deref in mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core] Write of size 4 at addr 0000000000000214 by task kworker/u96:2/12078 CPU: 10 PID: 12078 Comm: kworker/u96:2 Not tainted 6.9.0-rc2_for_upstream_debug_2024_04_07_19_01 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_health0000:08:00.0 mlx5_fw_fatal_reporter_err_work [mlx5_core] Call Trace: <TASK> dump_stack_lvl+0x7e/0xc0 kasan_report+0xb9/0xf0 kasan_check_range+0xec/0x190 mlx5_cmd_trigger_completions+0x1db/0x600 [mlx5_core] mlx5_cmd_flush+0x94/0x240 [mlx5_core] enter_error_state+0x6c/0xd0 [mlx5_core] mlx5_fw_fatal_reporter_err_work+0xf3/0x480 [mlx5_core] process_one_work+0x787/0x1490 ? lockdep_hardirqs_on_prepare+0x400/0x400 ? pwq_dec_nr_in_flight+0xda0/0xda0 ? assign_work+0x168/0x240 worker_thread+0x586/0xd30 ? rescuer_thread+0xae0/0xae0 kthread+0x2df/0x3b0 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x2d/0x70 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork_asm+0x11/0x20 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50147.html
CVE-2024-50147
https://bugzilla.suse.com/1233067
SUSE Bug 1233067

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bnep: fix wild-memory-access in proto_unregister There's issue as follows: KASAN: maybe wild-memory-access in range [0xdead...108-0xdead...10f] CPU: 3 UID: 0 PID: 2805 Comm: rmmod Tainted: G W RIP: 0010:proto_unregister+0xee/0x400 Call Trace: <TASK> __do_sys_delete_module+0x318/0x580 do_syscall_64+0xc1/0x1d0 entry_SYSCALL_64_after_hwframe+0x77/0x7f As bnep_init() ignore bnep_sock_init()'s return value, and bnep_sock_init() will cleanup all resource. Then when remove bnep module will call bnep_sock_cleanup() to cleanup sock's resource. To solve above issue just return bnep_sock_init()'s return value in bnep_exit().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50148.html
CVE-2024-50148
https://bugzilla.suse.com/1233063
SUSE Bug 1233063

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmode should keep reference to parent The altmode device release refers to its parent device, but without keeping a reference to it. When registering the altmode, get a reference to the parent and put it in the release function. Before this fix, when using CONFIG_DEBUG_KOBJECT_RELEASE, we see issues like this: [ 43.572860] kobject: 'port0.0' (ffff8880057ba008): kobject_release, parent 0000000000000000 (delayed 3000) [ 43.573532] kobject: 'port0.1' (ffff8880057bd008): kobject_release, parent 0000000000000000 (delayed 1000) [ 43.574407] kobject: 'port0' (ffff8880057b9008): kobject_release, parent 0000000000000000 (delayed 3000) [ 43.575059] kobject: 'port1.0' (ffff8880057ca008): kobject_release, parent 0000000000000000 (delayed 4000) [ 43.575908] kobject: 'port1.1' (ffff8880057c9008): kobject_release, parent 0000000000000000 (delayed 4000) [ 43.576908] kobject: 'typec' (ffff8880062dbc00): kobject_release, parent 0000000000000000 (delayed 4000) [ 43.577769] kobject: 'port1' (ffff8880057bf008): kobject_release, parent 0000000000000000 (delayed 3000) [ 46.612867] ================================================================== [ 46.613402] BUG: KASAN: slab-use-after-free in typec_altmode_release+0x38/0x129 [ 46.614003] Read of size 8 at addr ffff8880057b9118 by task kworker/2:1/48 [ 46.614538] [ 46.614668] CPU: 2 UID: 0 PID: 48 Comm: kworker/2:1 Not tainted 6.12.0-rc1-00138-gedbae730ad31 #535 [ 46.615391] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 [ 46.616042] Workqueue: events kobject_delayed_cleanup [ 46.616446] Call Trace: [ 46.616648] <TASK> [ 46.616820] dump_stack_lvl+0x5b/0x7c [ 46.617112] ? typec_altmode_release+0x38/0x129 [ 46.617470] print_report+0x14c/0x49e [ 46.617769] ? rcu_read_unlock_sched+0x56/0x69 [ 46.618117] ? __virt_addr_valid+0x19a/0x1ab [ 46.618456] ? kmem_cache_debug_flags+0xc/0x1d [ 46.618807] ? typec_altmode_release+0x38/0x129 [ 46.619161] kasan_report+0x8d/0xb4 [ 46.619447] ? typec_altmode_release+0x38/0x129 [ 46.619809] ? process_scheduled_works+0x3cb/0x85f [ 46.620185] typec_altmode_release+0x38/0x129 [ 46.620537] ? process_scheduled_works+0x3cb/0x85f [ 46.620907] device_release+0xaf/0xf2 [ 46.621206] kobject_delayed_cleanup+0x13b/0x17a [ 46.621584] process_scheduled_works+0x4f6/0x85f [ 46.621955] ? __pfx_process_scheduled_works+0x10/0x10 [ 46.622353] ? hlock_class+0x31/0x9a [ 46.622647] ? lock_acquired+0x361/0x3c3 [ 46.622956] ? move_linked_works+0x46/0x7d [ 46.623277] worker_thread+0x1ce/0x291 [ 46.623582] ? __kthread_parkme+0xc8/0xdf [ 46.623900] ? __pfx_worker_thread+0x10/0x10 [ 46.624236] kthread+0x17e/0x190 [ 46.624501] ? kthread+0xfb/0x190 [ 46.624756] ? __pfx_kthread+0x10/0x10 [ 46.625015] ret_from_fork+0x20/0x40 [ 46.625268] ? __pfx_kthread+0x10/0x10 [ 46.625532] ret_from_fork_asm+0x1a/0x30 [ 46.625805] </TASK> [ 46.625953] [ 46.626056] Allocated by task 678: [ 46.626287] kasan_save_stack+0x24/0x44 [ 46.626555] kasan_save_track+0x14/0x2d [ 46.626811] __kasan_kmalloc+0x3f/0x4d [ 46.627049] __kmalloc_noprof+0x1bf/0x1f0 [ 46.627362] typec_register_port+0x23/0x491 [ 46.627698] cros_typec_probe+0x634/0xbb6 [ 46.628026] platform_probe+0x47/0x8c [ 46.628311] really_probe+0x20a/0x47d [ 46.628605] device_driver_attach+0x39/0x72 [ 46.628940] bind_store+0x87/0xd7 [ 46.629213] kernfs_fop_write_iter+0x1aa/0x218 [ 46.629574] vfs_write+0x1d6/0x29b [ 46.629856] ksys_write+0xcd/0x13b [ 46.630128] do_syscall_64+0xd4/0x139 [ 46.630420] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 46.630820] [ 46.630946] Freed by task 48: [ 46.631182] kasan_save_stack+0x24/0x44 [ 46.631493] kasan_save_track+0x14/0x2d [ 46.631799] kasan_save_free_info+0x3f/0x4d [ 46.632144] __kasan_slab_free+0x37/0x45 [ 46.632474] ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50150.html
CVE-2024-50150
https://bugzilla.suse.com/1233051
SUSE Bug 1233051

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix null-ptr-deref in target_alloc_device() There is a null-ptr-deref issue reported by KASAN: BUG: KASAN: null-ptr-deref in target_alloc_device+0xbc4/0xbe0 [target_core_mod] ... kasan_report+0xb9/0xf0 target_alloc_device+0xbc4/0xbe0 [target_core_mod] core_dev_setup_virtual_lun0+0xef/0x1f0 [target_core_mod] target_core_init_configfs+0x205/0x420 [target_core_mod] do_one_initcall+0xdd/0x4e0 ... entry_SYSCALL_64_after_hwframe+0x76/0x7e In target_alloc_device(), if allocing memory for dev queues fails, then dev will be freed by dev->transport->free_device(), but dev->transport is not initialized at that time, which will lead to a null pointer reference problem. Fixing this bug by freeing dev with hba->backend->ops->free_device().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50153.html
CVE-2024-50153
https://bugzilla.suse.com/1233061
SUSE Bug 1233061

Описание

In the Linux kernel, the following vulnerability has been resolved: tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink(). Martin KaFai Lau reported use-after-free [0] in reqsk_timer_handler(). """ We are seeing a use-after-free from a bpf prog attached to trace_tcp_retransmit_synack. The program passes the req->sk to the bpf_sk_storage_get_tracing kernel helper which does check for null before using it. """ The commit 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()") added timer_pending() in reqsk_queue_unlink() not to call del_timer_sync() from reqsk_timer_handler(), but it introduced a small race window. Before the timer is called, expire_timers() calls detach_timer(timer, true) to clear timer->entry.pprev and marks it as not pending. If reqsk_queue_unlink() checks timer_pending() just after expire_timers() calls detach_timer(), TCP will miss del_timer_sync(); the reqsk timer will continue running and send multiple SYN+ACKs until it expires. The reported UAF could happen if req->sk is close()d earlier than the timer expiration, which is 63s by default. The scenario would be 1. inet_csk_complete_hashdance() calls inet_csk_reqsk_queue_drop(), but del_timer_sync() is missed 2. reqsk timer is executed and scheduled again 3. req->sk is accept()ed and reqsk_put() decrements rsk_refcnt, but reqsk timer still has another one, and inet_csk_accept() does not clear req->sk for non-TFO sockets 4. sk is close()d 5. reqsk timer is executed again, and BPF touches req->sk Let's not use timer_pending() by passing the caller context to __inet_csk_reqsk_queue_drop(). Note that reqsk timer is pinned, so the issue does not happen in most use cases. [1] [0] BUG: KFENCE: use-after-free read in bpf_sk_storage_get_tracing+0x2e/0x1b0 Use-after-free read at 0x00000000a891fb3a (in kfence-#1): bpf_sk_storage_get_tracing+0x2e/0x1b0 bpf_prog_5ea3e95db6da0438_tcp_retransmit_synack+0x1d20/0x1dda bpf_trace_run2+0x4c/0xc0 tcp_rtx_synack+0xf9/0x100 reqsk_timer_handler+0xda/0x3d0 run_timer_softirq+0x292/0x8a0 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 intel_idle_irq+0x5a/0xa0 cpuidle_enter_state+0x94/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb kfence-#1: 0x00000000a72cc7b6-0x00000000d97616d9, size=2376, cache=TCPv6 allocated by task 0 on cpu 9 at 260507.901592s: sk_prot_alloc+0x35/0x140 sk_clone_lock+0x1f/0x3f0 inet_csk_clone_lock+0x15/0x160 tcp_create_openreq_child+0x1f/0x410 tcp_v6_syn_recv_sock+0x1da/0x700 tcp_check_req+0x1fb/0x510 tcp_v6_rcv+0x98b/0x1420 ipv6_list_rcv+0x2258/0x26e0 napi_complete_done+0x5b1/0x2990 mlx5e_napi_poll+0x2ae/0x8d0 net_rx_action+0x13e/0x590 irq_exit_rcu+0xf5/0x320 common_interrupt+0x80/0x90 asm_common_interrupt+0x22/0x40 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb freed by task 0 on cpu 9 at 260507.927527s: rcu_core_si+0x4ff/0xf10 irq_exit_rcu+0xf5/0x320 sysvec_apic_timer_interrupt+0x6d/0x80 asm_sysvec_apic_timer_interrupt+0x16/0x20 cpuidle_enter_state+0xfb/0x273 cpu_startup_entry+0x15e/0x260 start_secondary+0x8a/0x90 secondary_startup_64_no_verify+0xfa/0xfb

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50154.html
CVE-2024-50154
https://bugzilla.suse.com/1233070
SUSE Bug 1233070
https://bugzilla.suse.com/1233072
SUSE Bug 1233072

Описание

In the Linux kernel, the following vulnerability has been resolved: netdevsim: use cond_resched() in nsim_dev_trap_report_work() I am still seeing many syzbot reports hinting that syzbot might fool nsim_dev_trap_report_work() with hundreds of ports [1] Lets use cond_resched(), and system_unbound_wq instead of implicit system_wq. [1] INFO: task syz-executor:20633 blocked for more than 143 seconds. Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor state:D stack:25856 pid:20633 tgid:20633 ppid:1 flags:0x00004006 ... NMI backtrace for cpu 1 CPU: 1 UID: 0 PID: 16760 Comm: kworker/1:0 Not tainted 6.12.0-rc2-syzkaller-00205-g1d227fcc7222 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Workqueue: events nsim_dev_trap_report_work RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x70 kernel/kcov.c:210 Code: 89 fb e8 23 00 00 00 48 8b 3d 04 fb 9c 0c 48 89 de 5b e9 c3 c7 5d 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f 1e fa 48 8b 04 24 65 48 8b 0c 25 c0 d7 03 00 65 8b 15 60 f0 RSP: 0018:ffffc90000a187e8 EFLAGS: 00000246 RAX: 0000000000000100 RBX: ffffc90000a188e0 RCX: ffff888027d3bc00 RDX: ffff888027d3bc00 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88804a2e6000 R08: ffffffff8a4bc495 R09: ffffffff89da3577 R10: 0000000000000004 R11: ffffffff8a4bc2b0 R12: dffffc0000000000 R13: ffff88806573b503 R14: dffffc0000000000 R15: ffff8880663cca00 FS: 0000000000000000(0000) GS:ffff8880b8700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc90a747f98 CR3: 000000000e734000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 000000000000002b DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: <NMI> </NMI> <TASK> __local_bh_enable_ip+0x1bb/0x200 kernel/softirq.c:382 spin_unlock_bh include/linux/spinlock.h:396 [inline] nsim_dev_trap_report drivers/net/netdevsim/dev.c:820 [inline] nsim_dev_trap_report_work+0x75d/0xaa0 drivers/net/netdevsim/dev.c:850 process_one_work kernel/workqueue.c:3229 [inline] process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310 worker_thread+0x870/0xd30 kernel/workqueue.c:3391 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50155.html
CVE-2024-50155
https://bugzilla.suse.com/1233035
SUSE Bug 1233035

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() If the allocation in msm_disp_state_dump_regs() failed then `block->state` can be NULL. The msm_disp_state_print_regs() function _does_ have code to try to handle it with: if (*reg) dump_addr = *reg; ...but since "dump_addr" is initialized to NULL the above is actually a noop. The code then goes on to dereference `dump_addr`. Make the function print "Registers not stored" when it sees a NULL to solve this. Since we're touching the code, fix msm_disp_state_print_regs() not to pointlessly take a double-pointer and properly mark the pointer as `const`. Patchwork: https://patchwork.freedesktop.org/patch/619657/

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50156.html
CVE-2024-50156
https://bugzilla.suse.com/1233073
SUSE Bug 1233073

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/cs8409: Fix possible NULL dereference If snd_hda_gen_add_kctl fails to allocate memory and returns NULL, then NULL pointer dereference will occur in the next line. Since dolphin_fixups function is a hda_fixup function which is not supposed to return any errors, add simple check before dereference, ignore the fail. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50160.html
CVE-2024-50160
https://bugzilla.suse.com/1233074
SUSE Bug 1233074

Описание

In the Linux kernel, the following vulnerability has been resolved: be2net: fix potential memory leak in be_xmit() The be_xmit() returns NETDEV_TX_OK without freeing skb in case of be_xmit_enqueue() fails, add dev_kfree_skb_any() to fix it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50167.html
CVE-2024-50167
https://bugzilla.suse.com/1233049
SUSE Bug 1233049

Описание

In the Linux kernel, the following vulnerability has been resolved: net: systemport: fix potential memory leak in bcm_sysport_xmit() The bcm_sysport_xmit() returns NETDEV_TX_OK without freeing skb in case of dma_map_single() fails, add dev_kfree_skb() to fix it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50171.html
CVE-2024-50171
https://bugzilla.suse.com/1233057
SUSE Bug 1233057

Описание

In the Linux kernel, the following vulnerability has been resolved: ceph: remove the incorrect Fw reference check when dirtying pages When doing the direct-io reads it will also try to mark pages dirty, but for the read path it won't hold the Fw caps and there is case will it get the Fw reference.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50179.html
CVE-2024-50179
https://bugzilla.suse.com/1233123
SUSE Bug 1233123

Описание

In the Linux kernel, the following vulnerability has been resolved: fbdev: sisfb: Fix strbuf array overflow The values of the variables xres and yres are placed in strbuf. These variables are obtained from strbuf1. The strbuf1 array contains digit characters and a space if the array contains non-digit characters. Then, when executing sprintf(strbuf, "%ux%ux8", xres, yres); more than 16 bytes will be written to strbuf. It is suggested to increase the size of the strbuf array to 24. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50180.html
CVE-2024-50180
https://bugzilla.suse.com/1233125
SUSE Bug 1233125

Описание

In the Linux kernel, the following vulnerability has been resolved: secretmem: disable memfd_secret() if arch cannot set direct map Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map(). This is the case for example on some arm64 configurations, where marking 4k PTEs in the direct map not present can only be done if the direct map is set up at 4k granularity in the first place (as ARM's break-before-make semantics do not easily allow breaking apart large/gigantic pages). More precisely, on arm64 systems with !can_set_direct_map(), set_direct_map_invalid_noflush() is a no-op, however it returns success (0) instead of an error. This means that memfd_secret will seemingly "work" (e.g. syscall succeeds, you can mmap the fd and fault in pages), but it does not actually achieve its goal of removing its memory from the direct map. Note that with this patch, memfd_secret() will start erroring on systems where can_set_direct_map() returns false (arm64 with CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n and CONFIG_KFENCE=n), but that still seems better than the current silent failure. Since CONFIG_RODATA_FULL_DEFAULT_ENABLED defaults to 'y', most arm64 systems actually have a working memfd_secret() and aren't be affected. From going through the iterations of the original memfd_secret patch series, it seems that disabling the syscall in these scenarios was the intended behavior [1] (preferred over having set_direct_map_invalid_noflush return an error as that would result in SIGBUSes at page-fault time), however the check for it got dropped between v16 [2] and v17 [3], when secretmem moved away from CMA allocations. [1]: https://lore.kernel.org/lkml/20201124164930.GK8537@kernel.org/ [2]: https://lore.kernel.org/lkml/20210121122723.3446-11-rppt@kernel.org/#t [3]: https://lore.kernel.org/lkml/20201125092208.12544-10-rppt@kernel.org/

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50182.html
CVE-2024-50182
https://bugzilla.suse.com/1233129
SUSE Bug 1233129

Описание

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance Deleting an NPIV instance requires all fabric ndlps to be released before an NPIV's resources can be torn down. Failure to release fabric ndlps beforehand opens kref imbalance race conditions. Fix by forcing the DA_ID to complete synchronously with usage of wait_queue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50183.html
CVE-2024-50183
https://bugzilla.suse.com/1233130
SUSE Bug 1233130

Описание

In the Linux kernel, the following vulnerability has been resolved: virtio_pmem: Check device status before requesting flush If a pmem device is in a bad status, the driver side could wait for host ack forever in virtio_pmem_flush(), causing the system to hang. So add a status check in the beginning of virtio_pmem_flush() to return early if the device is not activated.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50184.html
CVE-2024-50184
https://bugzilla.suse.com/1233135
SUSE Bug 1233135

Описание

In the Linux kernel, the following vulnerability has been resolved: net: explicitly clear the sk pointer, when pf->create fails We have recently noticed the exact same KASAN splat as in commit 6cd4a78d962b ("net: do not leave a dangling sk pointer, when socket creation fails"). The problem is that commit did not fully address the problem, as some pf->create implementations do not use sk_common_release in their error paths. For example, we can use the same reproducer as in the above commit, but changing ping to arping. arping uses AF_PACKET socket and if packet_create fails, it will just sk_free the allocated sk object. While we could chase all the pf->create implementations and make sure they NULL the freed sk object on error from the socket, we can't guarantee future protocols will not make the same mistake. So it is easier to just explicitly NULL the sk pointer upon return from pf->create in __sock_create. We do know that pf->create always releases the allocated sk object on error, so if the pointer is not NULL, it is definitely dangling.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50186.html
CVE-2024-50186
https://bugzilla.suse.com/1233110
SUSE Bug 1233110

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Stop the active perfmon before being destroyed Upon closing the file descriptor, the active performance monitor is not stopped. Although all perfmons are destroyed in `vc4_perfmon_close_file()`, the active performance monitor's pointer (`vc4->active_perfmon`) is still retained. If we open a new file descriptor and submit a few jobs with performance monitors, the driver will attempt to stop the active performance monitor using the stale pointer in `vc4->active_perfmon`. However, this pointer is no longer valid because the previous process has already terminated, and all performance monitors associated with it have been destroyed and freed. To fix this, when the active performance monitor belongs to a given process, explicitly stop it before destroying and freeing it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50187.html
CVE-2024-50187
https://bugzilla.suse.com/1233108
SUSE Bug 1233108

Описание

In the Linux kernel, the following vulnerability has been resolved: net: phy: dp83869: fix memory corruption when enabling fiber When configuring the fiber port, the DP83869 PHY driver incorrectly calls linkmode_set_bit() with a bit mask (1 << 10) rather than a bit number (10). This corrupts some other memory location -- in case of arm64 the priv pointer in the same structure. Since the advertising flags are updated from supported at the end of the function the incorrect line isn't needed at all and can be removed.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50188.html
CVE-2024-50188
https://bugzilla.suse.com/1233107
SUSE Bug 1233107

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: Switch to device-managed dmam_alloc_coherent() Using the device-managed version allows to simplify clean-up in probe() error path. Additionally, this device-managed ensures proper cleanup, which helps to resolve memory errors, page faults, btrfs going read-only, and btrfs disk corruption.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50189.html
CVE-2024-50189
https://bugzilla.suse.com/1233105
SUSE Bug 1233105

Описание

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v4: Don't allow a VMOVP on a dying VPE Kunkun Jiang reported that there is a small window of opportunity for userspace to force a change of affinity for a VPE while the VPE has already been unmapped, but the corresponding doorbell interrupt still visible in /proc/irq/. Plug the race by checking the value of vmapp_count, which tracks whether the VPE is mapped ot not, and returning an error in this case. This involves making vmapp_count common to both GICv4.1 and its v4.0 ancestor.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50192.html
CVE-2024-50192
https://bugzilla.suse.com/1233106
SUSE Bug 1233106

Описание

In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Fix uprobes for big-endian kernels The arm64 uprobes code is broken for big-endian kernels as it doesn't convert the in-memory instruction encoding (which is always little-endian) into the kernel's native endianness before analyzing and simulating instructions. This may result in a few distinct problems: * The kernel may may erroneously reject probing an instruction which can safely be probed. * The kernel may erroneously erroneously permit stepping an instruction out-of-line when that instruction cannot be stepped out-of-line safely. * The kernel may erroneously simulate instruction incorrectly dur to interpretting the byte-swapped encoding. The endianness mismatch isn't caught by the compiler or sparse because: * The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so the compiler and sparse have no idea these contain a little-endian 32-bit value. The core uprobes code populates these with a memcpy() which similarly does not handle endianness. * While the uprobe_opcode_t type is an alias for __le32, both arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[] to the similarly-named probe_opcode_t, which is an alias for u32. Hence there is no endianness conversion warning. Fix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and adding the appropriate __le32_to_cpu() conversions prior to consuming the instruction encoding. The core uprobes copies these fields as opaque ranges of bytes, and so is unaffected by this change. At the same time, remove MAX_UINSN_BYTES and consistently use AARCH64_INSN_SIZE for clarity. Tested with the following: | #include <stdio.h> | #include <stdbool.h> | | #define noinline __attribute__((noinline)) | | static noinline void *adrp_self(void) | { | void *addr; | | asm volatile( | " adrp %x0, adrp_self\n" | " add %x0, %x0, :lo12:adrp_self\n" | : "=r" (addr)); | } | | | int main(int argc, char *argv) | { | void *ptr = adrp_self(); | bool equal = (ptr == adrp_self); | | printf("adrp_self => %p\n" | "adrp_self() => %p\n" | "%s\n", | adrp_self, ptr, equal ? "EQUAL" : "NOT EQUAL"); | | return 0; | } .... where the adrp_self() function was compiled to: | 00000000004007e0 <adrp_self>: | 4007e0: 90000000 adrp x0, 400000 <__ehdr_start> | 4007e4: 911f8000 add x0, x0, #0x7e0 | 4007e8: d65f03c0 ret Before this patch, the ADRP is not recognized, and is assumed to be steppable, resulting in corruption of the result: | # ./adrp-self | adrp_self => 0x4007e0 | adrp_self() => 0x4007e0 | EQUAL | # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events | # echo 1 > /sys/kernel/tracing/events/uprobes/enable | # ./adrp-self | adrp_self => 0x4007e0 | adrp_self() => 0xffffffffff7e0 | NOT EQUAL After this patch, the ADRP is correctly recognized and simulated: | # ./adrp-self | adrp_self => 0x4007e0 | adrp_self() => 0x4007e0 | EQUAL | # | # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events | # echo 1 > /sys/kernel/tracing/events/uprobes/enable | # ./adrp-self | adrp_self => 0x4007e0 | adrp_self() => 0x4007e0 | EQUAL

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50194.html
CVE-2024-50194
https://bugzilla.suse.com/1233111
SUSE Bug 1233111

Описание

In the Linux kernel, the following vulnerability has been resolved: posix-clock: Fix missing timespec64 check in pc_clock_settime() As Andrew pointed out, it will make sense that the PTP core checked timespec64 struct's tv_sec and tv_nsec range before calling ptp->info->settime64(). As the man manual of clock_settime() said, if tp.tv_sec is negative or tp.tv_nsec is outside the range [0..999,999,999], it should return EINVAL, which include dynamic clocks which handles PTP clock, and the condition is consistent with timespec64_valid(). As Thomas suggested, timespec64_valid() only check the timespec is valid, but not ensure that the time is in a valid range, so check it ahead using timespec64_valid_strict() in pc_clock_settime() and return -EINVAL if not valid. There are some drivers that use tp->tv_sec and tp->tv_nsec directly to write registers without validity checks and assume that the higher layer has checked it, which is dangerous and will benefit from this, such as hclge_ptp_settime(), igb_ptp_settime_i210(), _rcar_gen4_ptp_settime(), and some drivers can remove the checks of itself.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50195.html
CVE-2024-50195
https://bugzilla.suse.com/1233103
SUSE Bug 1233103

Описание

In the Linux kernel, the following vulnerability has been resolved: pinctrl: ocelot: fix system hang on level based interrupts The current implementation only calls chained_irq_enter() and chained_irq_exit() if it detects pending interrupts. ``` for (i = 0; i < info->stride; i++) { uregmap_read(info->map, id_reg + 4 * i, &reg); if (!reg) continue; chained_irq_enter(parent_chip, desc); ``` However, in case of GPIO pin configured in level mode and the parent controller configured in edge mode, GPIO interrupt might be lowered by the hardware. In the result, if the interrupt is short enough, the parent interrupt is still pending while the GPIO interrupt is cleared; chained_irq_enter() never gets called and the system hangs trying to service the parent interrupt. Moving chained_irq_enter() and chained_irq_exit() outside the for loop ensures that they are called even when GPIO interrupt is lowered by the hardware. The similar code with chained_irq_enter() / chained_irq_exit() functions wrapping interrupt checking loop may be found in many other drivers: ``` grep -r -A 10 chained_irq_enter drivers/pinctrl ```

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50196.html
CVE-2024-50196
https://bugzilla.suse.com/1233113
SUSE Bug 1233113

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: light: veml6030: fix IIO device retrieval from embedded device The dev pointer that is received as an argument in the in_illuminance_period_available_show function references the device embedded in the IIO device, not in the i2c client. dev_to_iio_dev() must be used to accessthe right data. The current implementation leads to a segmentation fault on every attempt to read the attribute because indio_dev gets a NULL assignment. This bug has been present since the first appearance of the driver, apparently since the last version (V6) before getting applied. A constant attribute was used until then, and the last modifications might have not been tested again.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50198.html
CVE-2024-50198
https://bugzilla.suse.com/1233100
SUSE Bug 1233100

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Fix encoder->possible_clones Include the encoder itself in its possible_clones bitmask. In the past nothing validated that drivers were populating possible_clones correctly, but that changed in commit 74d2aacbe840 ("drm: Validate encoder->possible_clones"). Looks like radeon never got the memo and is still not following the rules 100% correctly. This results in some warnings during driver initialization: Bogus possible_clones: [ENCODER:46:TV-46] possible_clones=0x4 (full encoder mask=0x7) WARNING: CPU: 0 PID: 170 at drivers/gpu/drm/drm_mode_config.c:615 drm_mode_config_validate+0x113/0x39c ... (cherry picked from commit 3b6e7d40649c0d75572039aff9d0911864c689db)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50201.html
CVE-2024-50201
https://bugzilla.suse.com/1233104
SUSE Bug 1233104

Описание

In the Linux kernel, the following vulnerability has been resolved: ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() The step variable is initialized to zero. It is changed in the loop, but if it's not changed it will remain zero. Add a variable check before the division. The observed behavior was introduced by commit 826b5de90c0b ("ALSA: firewire-lib: fix insufficient PCM rule for period/buffer size"), and it is difficult to show that any of the interval parameters will satisfy the snd_interval_test() condition with data from the amdtp_rate_table[] table. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50205.html
CVE-2024-50205
https://bugzilla.suse.com/1233293
SUSE Bug 1233293
https://bugzilla.suse.com/1233294
SUSE Bug 1233294

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Avoid memory corruption while setting up Level-2 PBL pages for the non MR resources when num_pages > 256K. There will be a single PDE page address (contiguous pages in the case of > PAGE_SIZE), but, current logic assumes multiple pages, leading to invalid memory access after 256K PBL entries in the PDE.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50208.html
CVE-2024-50208
https://bugzilla.suse.com/1233117
SUSE Bug 1233117
https://bugzilla.suse.com/1233118
SUSE Bug 1233118

Описание

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Add a check for memory allocation __alloc_pbl() can return error when memory allocation fails. Driver is not checking the status on one of the instances.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50209.html
CVE-2024-50209
https://bugzilla.suse.com/1233114
SUSE Bug 1233114

Описание

In the Linux kernel, the following vulnerability has been resolved: nvmet-auth: assign dh_key to NULL after kfree_sensitive ctrl->dh_key might be used across multiple calls to nvmet_setup_dhgroup() for the same controller. So it's better to nullify it after release on error path in order to avoid double free later in nvmet_destroy_auth(). Found by Linux Verification Center (linuxtesting.org) with Svace.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50215.html
CVE-2024-50215
https://bugzilla.suse.com/1233189
SUSE Bug 1233189

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Syzbot reported a kernel BUG in ocfs2_truncate_inline. There are two reasons for this: first, the parameter value passed is greater than ocfs2_max_inline_data_with_xattr, second, the start and end parameters of ocfs2_truncate_inline are "unsigned int". So, we need to add a sanity check for byte_start and byte_len right before ocfs2_truncate_inline() in ocfs2_remove_inode_range(), if they are greater than ocfs2_max_inline_data_with_xattr return -EINVAL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50218.html
CVE-2024-50218
https://bugzilla.suse.com/1233191
SUSE Bug 1233191

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential deadlock with newly created symlinks Syzbot reported that page_symlink(), called by nilfs_symlink(), triggers memory reclamation involving the filesystem layer, which can result in circular lock dependencies among the reader/writer semaphore nilfs->ns_segctor_sem, s_writers percpu_rwsem (intwrite) and the fs_reclaim pseudo lock. This is because after commit 21fc61c73c39 ("don't put symlink bodies in pagecache into highmem"), the gfp flags of the page cache for symbolic links are overwritten to GFP_KERNEL via inode_nohighmem(). This is not a problem for symlinks read from the backing device, because the __GFP_FS flag is dropped after inode_nohighmem() is called. However, when a new symlink is created with nilfs_symlink(), the gfp flags remain overwritten to GFP_KERNEL. Then, memory allocation called from page_symlink() etc. triggers memory reclamation including the FS layer, which may call nilfs_evict_inode() or nilfs_dirty_inode(). And these can cause a deadlock if they are called while nilfs->ns_segctor_sem is held: Fix this issue by dropping the __GFP_FS flag from the page cache GFP flags of newly created symlinks in the same way that nilfs_new_inode() and __nilfs_read_inode() do, as a workaround until we adopt nofs allocation scope consistently or improve the locking constraints.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50229.html
CVE-2024-50229
https://bugzilla.suse.com/1233205
SUSE Bug 1233205

Описание

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix kernel bug due to missing clearing of checked flag Syzbot reported that in directory operations after nilfs2 detects filesystem corruption and degrades to read-only, __block_write_begin_int(), which is called to prepare block writes, may fail the BUG_ON check for accesses exceeding the folio/page size, triggering a kernel bug. This was found to be because the "checked" flag of a page/folio was not cleared when it was discarded by nilfs2's own routine, which causes the sanity check of directory entries to be skipped when the directory page/folio is reloaded. So, fix that. This was necessary when the use of nilfs2's own page discard routine was applied to more than just metadata files.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50230.html
CVE-2024-50230
https://bugzilla.suse.com/1233206
SUSE Bug 1233206

Описание

In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7124: fix division by zero in ad7124_set_channel_odr() In the ad7124_write_raw() function, parameter val can potentially be zero. This may lead to a division by zero when DIV_ROUND_CLOSEST() is called within ad7124_set_channel_odr(). The ad7124_write_raw() function is invoked through the sequence: iio_write_channel_raw() -> iio_write_channel_attribute() -> iio_channel_write(), with no checks in place to ensure val is non-zero.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50232.html
CVE-2024-50232
https://bugzilla.suse.com/1233209
SUSE Bug 1233209

Описание

In the Linux kernel, the following vulnerability has been resolved: staging: iio: frequency: ad9832: fix division by zero in ad9832_calc_freqreg() In the ad9832_write_frequency() function, clk_get_rate() might return 0. This can lead to a division by zero when calling ad9832_calc_freqreg(). The check if (fout > (clk_get_rate(st->mclk) / 2)) does not protect against the case when fout is 0. The ad9832_write_frequency() function is called from ad9832_write(), and fout is derived from a text buffer, which can contain any value.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50233.html
CVE-2024-50233
https://bugzilla.suse.com/1233210
SUSE Bug 1233210

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlegacy: Clear stale interrupts before resuming device iwl4965 fails upon resume from hibernation on my laptop. The reason seems to be a stale interrupt which isn't being cleared out before interrupts are enabled. We end up with a race beween the resume trying to bring things back up, and the restart work (queued form the interrupt handler) trying to bring things down. Eventually the whole thing blows up. Fix the problem by clearing out any stale interrupts before interrupts get enabled during resume. Here's a debug log of the indicent: [ 12.042589] ieee80211 phy0: il_isr ISR inta 0x00000080, enabled 0xaa00008b, fh 0x00000000 [ 12.042625] ieee80211 phy0: il4965_irq_tasklet inta 0x00000080, enabled 0x00000000, fh 0x00000000 [ 12.042651] iwl4965 0000:10:00.0: RF_KILL bit toggled to enable radio. [ 12.042653] iwl4965 0000:10:00.0: On demand firmware reload [ 12.042690] ieee80211 phy0: il4965_irq_tasklet End inta 0x00000000, enabled 0xaa00008b, fh 0x00000000, flags 0x00000282 [ 12.052207] ieee80211 phy0: il4965_mac_start enter [ 12.052212] ieee80211 phy0: il_prep_station Add STA to driver ID 31: ff:ff:ff:ff:ff:ff [ 12.052244] ieee80211 phy0: il4965_set_hw_ready hardware ready [ 12.052324] ieee80211 phy0: il_apm_init Init card's basic functions [ 12.052348] ieee80211 phy0: il_apm_init L1 Enabled; Disabling L0S [ 12.055727] ieee80211 phy0: il4965_load_bsm Begin load bsm [ 12.056140] ieee80211 phy0: il4965_verify_bsm Begin verify bsm [ 12.058642] ieee80211 phy0: il4965_verify_bsm BSM bootstrap uCode image OK [ 12.058721] ieee80211 phy0: il4965_load_bsm BSM write complete, poll 1 iterations [ 12.058734] ieee80211 phy0: __il4965_up iwl4965 is coming up [ 12.058737] ieee80211 phy0: il4965_mac_start Start UP work done. [ 12.058757] ieee80211 phy0: __il4965_down iwl4965 is going down [ 12.058761] ieee80211 phy0: il_scan_cancel_timeout Scan cancel timeout [ 12.058762] ieee80211 phy0: il_do_scan_abort Not performing scan to abort [ 12.058765] ieee80211 phy0: il_clear_ucode_stations Clearing ucode stations in driver [ 12.058767] ieee80211 phy0: il_clear_ucode_stations No active stations found to be cleared [ 12.058819] ieee80211 phy0: _il_apm_stop Stop card, put in low power state [ 12.058827] ieee80211 phy0: _il_apm_stop_master stop master [ 12.058864] ieee80211 phy0: il4965_clear_free_frames 0 frames on pre-allocated heap on clear. [ 12.058869] ieee80211 phy0: Hardware restart was requested [ 16.132299] iwl4965 0000:10:00.0: START_ALIVE timeout after 4000ms. [ 16.132303] ------------[ cut here ]------------ [ 16.132304] Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue. [ 16.132338] WARNING: CPU: 0 PID: 181 at net/mac80211/util.c:1826 ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132390] Modules linked in: ctr ccm sch_fq_codel xt_tcpudp xt_multiport xt_state iptable_filter iptable_nat nf_nat nf_conntrack nf_defrag_ipv4 ip_tables x_tables binfmt_misc joydev mousedev btusb btrtl btintel btbcm bluetooth ecdh_generic ecc iTCO_wdt i2c_dev iwl4965 iwlegacy coretemp snd_hda_codec_analog pcspkr psmouse mac80211 snd_hda_codec_generic libarc4 sdhci_pci cqhci sha256_generic sdhci libsha256 firewire_ohci snd_hda_intel snd_intel_dspcfg mmc_core snd_hda_codec snd_hwdep firewire_core led_class iosf_mbi snd_hda_core uhci_hcd lpc_ich crc_itu_t cfg80211 ehci_pci ehci_hcd snd_pcm usbcore mfd_core rfkill snd_timer snd usb_common soundcore video parport_pc parport intel_agp wmi intel_gtt backlight e1000e agpgart evdev [ 16.132456] CPU: 0 UID: 0 PID: 181 Comm: kworker/u8:6 Not tainted 6.11.0-cl+ #143 [ 16.132460] Hardware name: Hewlett-Packard HP Compaq 6910p/30BE, BIOS 68MCU Ver. F.19 07/06/2010 [ 16.132463] Workqueue: async async_run_entry_fn [ 16.132469] RIP: 0010:ieee80211_reconfig+0x8f/0x14b0 [mac80211] [ 16.132501] Code: da 02 00 0 ---truncated---

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50234.html
CVE-2024-50234
https://bugzilla.suse.com/1233211
SUSE Bug 1233211

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: Fix memory leak in management tx In the current logic, memory is allocated for storing the MSDU context during management packet TX but this memory is not being freed during management TX completion. Similar leaks are seen in the management TX cleanup logic. Kmemleak reports this problem as below, unreferenced object 0xffffff80b64ed250 (size 16): comm "kworker/u16:7", pid 148, jiffies 4294687130 (age 714.199s) hex dump (first 16 bytes): 00 2b d8 d8 80 ff ff ff c4 74 e9 fd 07 00 00 00 .+.......t...... backtrace: [<ffffffe6e7b245dc>] __kmem_cache_alloc_node+0x1e4/0x2d8 [<ffffffe6e7adde88>] kmalloc_trace+0x48/0x110 [<ffffffe6bbd765fc>] ath10k_wmi_tlv_op_gen_mgmt_tx_send+0xd4/0x1d8 [ath10k_core] [<ffffffe6bbd3eed4>] ath10k_mgmt_over_wmi_tx_work+0x134/0x298 [ath10k_core] [<ffffffe6e78d5974>] process_scheduled_works+0x1ac/0x400 [<ffffffe6e78d60b8>] worker_thread+0x208/0x328 [<ffffffe6e78dc890>] kthread+0x100/0x1c0 [<ffffffe6e78166c0>] ret_from_fork+0x10/0x20 Free the memory during completion and cleanup to fix the leak. Protect the mgmt_pending_tx idr_remove() operation in ath10k_wmi_tlv_op_cleanup_mgmt_tx_send() using ar->data_lock similar to other instances. Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50236.html
CVE-2024-50236
https://bugzilla.suse.com/1233212
SUSE Bug 1233212

Описание

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: do not pass a stopped vif to the driver in .get_txpower Avoid potentially crashing in the driver because of uninitialized private data

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50237.html
CVE-2024-50237
https://bugzilla.suse.com/1233216
SUSE Bug 1233216

Описание

In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Make rmw_lock a raw_spin_lock The following BUG was triggered: ============================= [ BUG: Invalid wait context ] 6.12.0-rc2-XXX #406 Not tainted ----------------------------- kworker/1:1/62 is trying to lock: ffffff8801593030 (&cpc_ptr->rmw_lock){+.+.}-{3:3}, at: cpc_write+0xcc/0x370 other info that might help us debug this: context-{5:5} 2 locks held by kworker/1:1/62: #0: ffffff897ef5ec98 (&rq->__lock){-.-.}-{2:2}, at: raw_spin_rq_lock_nested+0x2c/0x50 #1: ffffff880154e238 (&sg_policy->update_lock){....}-{2:2}, at: sugov_update_shared+0x3c/0x280 stack backtrace: CPU: 1 UID: 0 PID: 62 Comm: kworker/1:1 Not tainted 6.12.0-rc2-g9654bd3e8806 #406 Workqueue: 0x0 (events) Call trace: dump_backtrace+0xa4/0x130 show_stack+0x20/0x38 dump_stack_lvl+0x90/0xd0 dump_stack+0x18/0x28 __lock_acquire+0x480/0x1ad8 lock_acquire+0x114/0x310 _raw_spin_lock+0x50/0x70 cpc_write+0xcc/0x370 cppc_set_perf+0xa0/0x3a8 cppc_cpufreq_fast_switch+0x40/0xc0 cpufreq_driver_fast_switch+0x4c/0x218 sugov_update_shared+0x234/0x280 update_load_avg+0x6ec/0x7b8 dequeue_entities+0x108/0x830 dequeue_task_fair+0x58/0x408 __schedule+0x4f0/0x1070 schedule+0x54/0x130 worker_thread+0xc0/0x2e8 kthread+0x130/0x148 ret_from_fork+0x10/0x20 sugov_update_shared() locks a raw_spinlock while cpc_write() locks a spinlock. To have a correct wait-type order, update rmw_lock to a raw spinlock and ensure that interrupts will be disabled on the CPU holding it. [ rjw: Changelog edits ]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50249.html
CVE-2024-50249
https://bugzilla.suse.com/1233197
SUSE Bug 1233197

Описание

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci: fix null-ptr-deref in hci_read_supported_codecs Fix __hci_cmd_sync_sk() to return not NULL for unknown opcodes. __hci_cmd_sync_sk() returns NULL if a command returns a status event. However, it also returns NULL where an opcode doesn't exist in the hci_cc table because hci_cmd_complete_evt() assumes status = skb->data[0] for unknown opcodes. This leads to null-ptr-deref in cmd_sync for HCI_OP_READ_LOCAL_CODECS as there is no hci_cc for HCI_OP_READ_LOCAL_CODECS, which always assumes status = skb->data[0]. KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 1 PID: 2000 Comm: kworker/u9:5 Not tainted 6.9.0-ga6bcb805883c-dirty #10 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: hci7 hci_power_on RIP: 0010:hci_read_supported_codecs+0xb9/0x870 net/bluetooth/hci_codec.c:138 Code: 08 48 89 ef e8 b8 c1 8f fd 48 8b 75 00 e9 96 00 00 00 49 89 c6 48 ba 00 00 00 00 00 fc ff df 4c 8d 60 70 4c 89 e3 48 c1 eb 03 <0f> b6 04 13 84 c0 0f 85 82 06 00 00 41 83 3c 24 02 77 0a e8 bf 78 RSP: 0018:ffff888120bafac8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: 000000000000000e RCX: ffff8881173f0040 RDX: dffffc0000000000 RSI: ffffffffa58496c0 RDI: ffff88810b9ad1e4 RBP: ffff88810b9ac000 R08: ffffffffa77882a7 R09: 1ffffffff4ef1054 R10: dffffc0000000000 R11: fffffbfff4ef1055 R12: 0000000000000070 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810b9ac000 FS: 0000000000000000(0000) GS:ffff8881f6c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6ddaa3439e CR3: 0000000139764003 CR4: 0000000000770ef0 PKRU: 55555554 Call Trace: <TASK> hci_read_local_codecs_sync net/bluetooth/hci_sync.c:4546 [inline] hci_init_stage_sync net/bluetooth/hci_sync.c:3441 [inline] hci_init4_sync net/bluetooth/hci_sync.c:4706 [inline] hci_init_sync net/bluetooth/hci_sync.c:4742 [inline] hci_dev_init_sync net/bluetooth/hci_sync.c:4912 [inline] hci_dev_open_sync+0x19a9/0x2d30 net/bluetooth/hci_sync.c:4994 hci_dev_do_open net/bluetooth/hci_core.c:483 [inline] hci_power_on+0x11e/0x560 net/bluetooth/hci_core.c:1015 process_one_work kernel/workqueue.c:3267 [inline] process_scheduled_works+0x8ef/0x14f0 kernel/workqueue.c:3348 worker_thread+0x91f/0xe50 kernel/workqueue.c:3429 kthread+0x2cb/0x360 kernel/kthread.c:388 ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50255.html
CVE-2024-50255
https://bugzilla.suse.com/1233238
SUSE Bug 1233238

Описание

In the Linux kernel, the following vulnerability has been resolved: netdevsim: Add trailing zero to terminate the string in nsim_nexthop_bucket_activity_write() This was found by a static analyzer. We should not forget the trailing zero after copy_from_user() if we will further do some string operations, sscanf() in this case. Adding a trailing zero will ensure that the function performs properly.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50259.html
CVE-2024-50259
https://bugzilla.suse.com/1233214
SUSE Bug 1233214
https://bugzilla.suse.com/1233215
SUSE Bug 1233215

Описание

In the Linux kernel, the following vulnerability has been resolved: macsec: Fix use-after-free while sending the offloading packet KASAN reports the following UAF. The metadata_dst, which is used to store the SCI value for macsec offload, is already freed by metadata_dst_free() in macsec_free_netdev(), while driver still use it for sending the packet. To fix this issue, dst_release() is used instead to release metadata_dst. So it is not freed instantly in macsec_free_netdev() if still referenced by skb. BUG: KASAN: slab-use-after-free in mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] Read of size 2 at addr ffff88813e42e038 by task kworker/7:2/714 [...] Workqueue: mld mld_ifc_work Call Trace: <TASK> dump_stack_lvl+0x51/0x60 print_report+0xc1/0x600 kasan_report+0xab/0xe0 mlx5e_xmit+0x1e8f/0x4190 [mlx5_core] dev_hard_start_xmit+0x120/0x530 sch_direct_xmit+0x149/0x11e0 __qdisc_run+0x3ad/0x1730 __dev_queue_xmit+0x1196/0x2ed0 vlan_dev_hard_start_xmit+0x32e/0x510 [8021q] dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 macsec_start_xmit+0x13e9/0x2340 dev_hard_start_xmit+0x120/0x530 __dev_queue_xmit+0x14a7/0x2ed0 ip6_finish_output2+0x923/0x1a70 ip6_finish_output+0x2d7/0x970 ip6_output+0x1ce/0x3a0 NF_HOOK.constprop.0+0x15f/0x190 mld_sendpack+0x59a/0xbd0 mld_ifc_work+0x48a/0xa80 process_one_work+0x5aa/0xe50 worker_thread+0x79c/0x1290 kthread+0x28f/0x350 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 </TASK> Allocated by task 3922: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x77/0x90 __kmalloc_noprof+0x188/0x400 metadata_dst_alloc+0x1f/0x4e0 macsec_newlink+0x914/0x1410 __rtnl_newlink+0xe08/0x15b0 rtnl_newlink+0x5f/0x90 rtnetlink_rcv_msg+0x667/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 4011: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 poison_slab_object+0x10c/0x190 __kasan_slab_free+0x11/0x30 kfree+0xe0/0x290 macsec_free_netdev+0x3f/0x140 netdev_run_todo+0x450/0xc70 rtnetlink_rcv_msg+0x66f/0xa80 netlink_rcv_skb+0x12c/0x360 netlink_unicast+0x551/0x770 netlink_sendmsg+0x72d/0xbd0 __sock_sendmsg+0xc5/0x190 ____sys_sendmsg+0x52e/0x6a0 ___sys_sendmsg+0xeb/0x170 __sys_sendmsg+0xb5/0x140 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50261.html
CVE-2024-50261
https://bugzilla.suse.com/1233253
SUSE Bug 1233253

Описание

In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans During loopback communication, a dangling pointer can be created in vsk->trans, potentially leading to a Use-After-Free condition. This issue is resolved by initializing vsk->trans to NULL.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50264.html
CVE-2024-50264
https://bugzilla.suse.com/1233453
SUSE Bug 1233453
https://bugzilla.suse.com/1233712
SUSE Bug 1233712

Описание

In the Linux kernel, the following vulnerability has been resolved: ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove() Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove(): [ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12 [ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry [ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004 [...] [ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [...] [ 57.331328] Call Trace: [ 57.331477] <TASK> [...] [ 57.333511] ? do_user_addr_fault+0x3e5/0x740 [ 57.333778] ? exc_page_fault+0x70/0x170 [ 57.334016] ? asm_exc_page_fault+0x2b/0x30 [ 57.334263] ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10 [ 57.334596] ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0 [ 57.334913] ocfs2_xa_remove_entry+0x23/0xc0 [ 57.335164] ocfs2_xa_set+0x704/0xcf0 [ 57.335381] ? _raw_spin_unlock+0x1a/0x40 [ 57.335620] ? ocfs2_inode_cache_unlock+0x16/0x20 [ 57.335915] ? trace_preempt_on+0x1e/0x70 [ 57.336153] ? start_this_handle+0x16c/0x500 [ 57.336410] ? preempt_count_sub+0x50/0x80 [ 57.336656] ? _raw_read_unlock+0x20/0x40 [ 57.336906] ? start_this_handle+0x16c/0x500 [ 57.337162] ocfs2_xattr_block_set+0xa6/0x1e0 [ 57.337424] __ocfs2_xattr_set_handle+0x1fd/0x5d0 [ 57.337706] ? ocfs2_start_trans+0x13d/0x290 [ 57.337971] ocfs2_xattr_set+0xb13/0xfb0 [ 57.338207] ? dput+0x46/0x1c0 [ 57.338393] ocfs2_xattr_trusted_set+0x28/0x30 [ 57.338665] ? ocfs2_xattr_trusted_set+0x28/0x30 [ 57.338948] __vfs_removexattr+0x92/0xc0 [ 57.339182] __vfs_removexattr_locked+0xd5/0x190 [ 57.339456] ? preempt_count_sub+0x50/0x80 [ 57.339705] vfs_removexattr+0x5f/0x100 [...] Reproducer uses faultinject facility to fail ocfs2_xa_remove() -> ocfs2_xa_value_truncate() with -ENOMEM. In this case the comment mentions that we can return 0 if ocfs2_xa_cleanup_value_truncate() is going to wipe the entry anyway. But the following 'rc' check is wrong and execution flow do 'ocfs2_xa_remove_entry(loc);' twice: * 1st: in ocfs2_xa_cleanup_value_truncate(); * 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'. Fix this by skipping the 2nd removal of the same entry and making syzkaller repro happy.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50265.html
CVE-2024-50265
https://bugzilla.suse.com/1233454
SUSE Bug 1233454

Описание

In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_edgeport: fix use after free in debug printk The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb) is a use after free of the "urb" pointer. Store the "dev" pointer at the start of the function to avoid this issue.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50267.html
CVE-2024-50267
https://bugzilla.suse.com/1233456
SUSE Bug 1233456
https://bugzilla.suse.com/1233711
SUSE Bug 1233711

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd() The "*cmd" variable can be controlled by the user via debugfs. That means "new_cam" can be as high as 255 while the size of the uc->updated[] array is UCSI_MAX_ALTMODES (30). The call tree is: ucsi_cmd() // val comes from simple_attr_write_xsigned() -> ucsi_send_command() -> ucsi_send_command_common() -> ucsi_run_command() // calls ucsi->ops->sync_control() -> ucsi_ccg_sync_control()

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50268.html
CVE-2024-50268
https://bugzilla.suse.com/1233457
SUSE Bug 1233457

Описание

In the Linux kernel, the following vulnerability has been resolved: usb: musb: sunxi: Fix accessing an released usb phy Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on exit") will cause that usb phy @glue->xceiv is accessed after released. 1) register platform driver @sunxi_musb_driver // get the usb phy @glue->xceiv sunxi_musb_probe() -> devm_usb_get_phy(). 2) register and unregister platform driver @musb_driver musb_probe() -> sunxi_musb_init() use the phy here //the phy is released here musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy() 3) register @musb_driver again musb_probe() -> sunxi_musb_init() use the phy here but the phy has been released at 2). ... Fixed by reverting the commit, namely, removing devm_usb_put_phy() from sunxi_musb_exit().

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50269.html
CVE-2024-50269
https://bugzilla.suse.com/1233458
SUSE Bug 1233458

Описание

In the Linux kernel, the following vulnerability has been resolved: signal: restore the override_rlimit logic Prior to commit d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of signals. However now it's enforced unconditionally, even if override_rlimit is set. This behavior change caused production issues. For example, if the limit is reached and a process receives a SIGSEGV signal, sigqueue_alloc fails to allocate the necessary resources for the signal delivery, preventing the signal from being delivered with siginfo. This prevents the process from correctly identifying the fault address and handling the error. From the user-space perspective, applications are unaware that the limit has been reached and that the siginfo is effectively 'corrupted'. This can lead to unpredictable behavior and crashes, as we observed with java applications. Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip the comparison to max there if override_rlimit is set. This effectively restores the old behavior.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50271.html
CVE-2024-50271
https://bugzilla.suse.com/1233460
SUSE Bug 1233460

Описание

In the Linux kernel, the following vulnerability has been resolved: btrfs: reinitialize delayed ref list after deleting it from the list At insert_delayed_ref() if we need to update the action of an existing ref to BTRFS_DROP_DELAYED_REF, we delete the ref from its ref head's ref_add_list using list_del(), which leaves the ref's add_list member not reinitialized, as list_del() sets the next and prev members of the list to LIST_POISON1 and LIST_POISON2, respectively. If later we end up calling drop_delayed_ref() against the ref, which can happen during merging or when destroying delayed refs due to a transaction abort, we can trigger a crash since at drop_delayed_ref() we call list_empty() against the ref's add_list, which returns false since the list was not reinitialized after the list_del() and as a consequence we call list_del() again at drop_delayed_ref(). This results in an invalid list access since the next and prev members are set to poison pointers, resulting in a splat if CONFIG_LIST_HARDENED and CONFIG_DEBUG_LIST are set or invalid poison pointer dereferences otherwise. So fix this by deleting from the list with list_del_init() instead.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50273.html
CVE-2024-50273
https://bugzilla.suse.com/1233462
SUSE Bug 1233462

Описание

In the Linux kernel, the following vulnerability has been resolved: idpf: avoid vport access in idpf_get_link_ksettings When the device control plane is removed or the platform running device control plane is rebooted, a reset is detected on the driver. On driver reset, it releases the resources and waits for the reset to complete. If the reset fails, it takes the error path and releases the vport lock. At this time if the monitoring tools tries to access link settings, it call traces for accessing released vport pointer. To avoid it, move link_speed_mbps to netdev_priv structure which removes the dependency on vport pointer and the vport lock in idpf_get_link_ksettings. Also use netif_carrier_ok() to check the link status and adjust the offsetof to use link_up instead of link_speed_mbps.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50274.html
CVE-2024-50274
https://bugzilla.suse.com/1233463
SUSE Bug 1233463
https://bugzilla.suse.com/1235104
SUSE Bug 1235104

Описание

In the Linux kernel, the following vulnerability has been resolved: dm cache: fix out-of-bounds access to the dirty bitset when resizing dm-cache checks the dirty bits of the cache blocks to be dropped when shrinking the fast device, but an index bug in bitset iteration causes out-of-bounds access. Reproduce steps: 1. create a cache device of 1024 cache blocks (128 bytes dirty bitset) dmsetup create cmeta --table "0 8192 linear /dev/sdc 0" dmsetup create cdata --table "0 131072 linear /dev/sdc 8192" dmsetup create corig --table "0 524288 linear /dev/sdc 262144" dd if=/dev/zero of=/dev/mapper/cmeta bs=4k count=1 oflag=direct dmsetup create cache --table "0 524288 cache /dev/mapper/cmeta \ /dev/mapper/cdata /dev/mapper/corig 128 2 metadata2 writethrough smq 0" 2. shrink the fast device to 512 cache blocks, triggering out-of-bounds access to the dirty bitset (offset 0x80) dmsetup suspend cache dmsetup reload cdata --table "0 65536 linear /dev/sdc 8192" dmsetup resume cdata dmsetup resume cache KASAN reports: BUG: KASAN: vmalloc-out-of-bounds in cache_preresume+0x269/0x7b0 Read of size 8 at addr ffffc900000f3080 by task dmsetup/131 (...snip...) The buggy address belongs to the virtual mapping at [ffffc900000f3000, ffffc900000f5000) created by: cache_ctr+0x176a/0x35f0 (...snip...) Memory state around the buggy address: ffffc900000f2f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900000f3000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffffc900000f3080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc900000f3100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc900000f3180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Fix by making the index post-incremented.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50279.html
CVE-2024-50279
https://bugzilla.suse.com/1233468
SUSE Bug 1233468
https://bugzilla.suse.com/1233708
SUSE Bug 1233708

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add missing size check in amdgpu_debugfs_gprwave_read() Avoid a possible buffer overflow if size is larger than 4K. (cherry picked from commit f5d873f5825b40d886d03bd2aede91d4cf002434)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50282.html
CVE-2024-50282
https://bugzilla.suse.com/1233471
SUSE Bug 1233471
https://bugzilla.suse.com/1233707
SUSE Bug 1233707

Описание

In the Linux kernel, the following vulnerability has been resolved: media: v4l2-tpg: prevent the risk of a division by zero As reported by Coverity, the logic at tpg_precalculate_line() blindly rescales the buffer even when scaled_witdh is equal to zero. If this ever happens, this will cause a division by zero. Instead, add a WARN_ON_ONCE() to trigger such cases and return without doing any precalculation.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50287.html
CVE-2024-50287
https://bugzilla.suse.com/1233476
SUSE Bug 1233476

Описание

In the Linux kernel, the following vulnerability has been resolved: media: av7110: fix a spectre vulnerability As warned by smatch: drivers/staging/media/av7110/av7110_ca.c:270 dvb_ca_ioctl() warn: potential spectre issue 'av7110->ci_slot' [w] (local cap) There is a spectre-related vulnerability at the code. Fix it.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50289.html
CVE-2024-50289
https://bugzilla.suse.com/1233478
SUSE Bug 1233478

Описание

In the Linux kernel, the following vulnerability has been resolved: media: cx24116: prevent overflows on SNR calculus as reported by Coverity, if reading SNR registers fail, a negative number will be returned, causing an underflow when reading SNR registers. Prevent that.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50290.html
CVE-2024-50290
https://bugzilla.suse.com/1225742
SUSE Bug 1225742
https://bugzilla.suse.com/1233479
SUSE Bug 1233479
https://bugzilla.suse.com/1233681
SUSE Bug 1233681

Описание

In the Linux kernel, the following vulnerability has been resolved: ASoC: stm32: spdifrx: fix dma channel release in stm32_spdifrx_remove In case of error when requesting ctrl_chan DMA channel, ctrl_chan is not null. So the release of the dma channel leads to the following issue: [ 4.879000] st,stm32-spdifrx 500d0000.audio-controller: dma_request_slave_channel error -19 [ 4.888975] Unable to handle kernel NULL pointer dereference at virtual address 000000000000003d [...] [ 5.096577] Call trace: [ 5.099099] dma_release_channel+0x24/0x100 [ 5.103235] stm32_spdifrx_remove+0x24/0x60 [snd_soc_stm32_spdifrx] [ 5.109494] stm32_spdifrx_probe+0x320/0x4c4 [snd_soc_stm32_spdifrx] To avoid this issue, release channel only if the pointer is valid.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50292.html
CVE-2024-50292
https://bugzilla.suse.com/1233481
SUSE Bug 1233481

Описание

In the Linux kernel, the following vulnerability has been resolved: net: arc: fix the device for dma_map_single/dma_unmap_single The ndev->dev and pdev->dev aren't the same device, use ndev->dev.parent which has dma_mask, ndev->dev.parent is just pdev->dev. Or it would cause the following issue: [ 39.933526] ------------[ cut here ]------------ [ 39.938414] WARNING: CPU: 1 PID: 501 at kernel/dma/mapping.c:149 dma_map_page_attrs+0x90/0x1f8

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50295.html
CVE-2024-50295
https://bugzilla.suse.com/1233484
SUSE Bug 1233484

Описание

In the Linux kernel, the following vulnerability has been resolved: net: enetc: allocate vf_state during PF probes In the previous implementation, vf_state is allocated memory only when VF is enabled. However, net_device_ops::ndo_set_vf_mac() may be called before VF is enabled to configure the MAC address of VF. If this is the case, enetc_pf_set_vf_mac() will access vf_state, resulting in access to a null pointer. The simplified error log is as follows. root@ls1028ardb:~# ip link set eno0 vf 1 mac 00:0c:e7:66:77:89 [ 173.543315] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004 [ 173.637254] pc : enetc_pf_set_vf_mac+0x3c/0x80 Message from sy [ 173.641973] lr : do_setlink+0x4a8/0xec8 [ 173.732292] Call trace: [ 173.734740] enetc_pf_set_vf_mac+0x3c/0x80 [ 173.738847] __rtnl_newlink+0x530/0x89c [ 173.742692] rtnl_newlink+0x50/0x7c [ 173.746189] rtnetlink_rcv_msg+0x128/0x390 [ 173.750298] netlink_rcv_skb+0x60/0x130 [ 173.754145] rtnetlink_rcv+0x18/0x24 [ 173.757731] netlink_unicast+0x318/0x380 [ 173.761665] netlink_sendmsg+0x17c/0x3c8

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50298.html
CVE-2024-50298
https://bugzilla.suse.com/1233487
SUSE Bug 1233487

Описание

In the Linux kernel, the following vulnerability has been resolved: security/keys: fix slab-out-of-bounds in key_task_permission KASAN reports an out of bounds read: BUG: KASAN: slab-out-of-bounds in __kuid_val include/linux/uidgid.h:36 BUG: KASAN: slab-out-of-bounds in uid_eq include/linux/uidgid.h:63 [inline] BUG: KASAN: slab-out-of-bounds in key_task_permission+0x394/0x410 security/keys/permission.c:54 Read of size 4 at addr ffff88813c3ab618 by task stress-ng/4362 CPU: 2 PID: 4362 Comm: stress-ng Not tainted 5.10.0-14930-gafbffd6c3ede #15 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0x107/0x167 lib/dump_stack.c:123 print_address_description.constprop.0+0x19/0x170 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 __kuid_val include/linux/uidgid.h:36 [inline] uid_eq include/linux/uidgid.h:63 [inline] key_task_permission+0x394/0x410 security/keys/permission.c:54 search_nested_keyrings+0x90e/0xe90 security/keys/keyring.c:793 This issue was also reported by syzbot. It can be reproduced by following these steps(more details [1]): 1. Obtain more than 32 inputs that have similar hashes, which ends with the pattern '0xxxxxxxe6'. 2. Reboot and add the keys obtained in step 1. The reproducer demonstrates how this issue happened: 1. In the search_nested_keyrings function, when it iterates through the slots in a node(below tag ascend_to_node), if the slot pointer is meta and node->back_pointer != NULL(it means a root), it will proceed to descend_to_node. However, there is an exception. If node is the root, and one of the slots points to a shortcut, it will be treated as a keyring. 2. Whether the ptr is keyring decided by keyring_ptr_is_keyring function. However, KEYRING_PTR_SUBTYPE is 0x2UL, the same as ASSOC_ARRAY_PTR_SUBTYPE_MASK. 3. When 32 keys with the similar hashes are added to the tree, the ROOT has keys with hashes that are not similar (e.g. slot 0) and it splits NODE A without using a shortcut. When NODE A is filled with keys that all hashes are xxe6, the keys are similar, NODE A will split with a shortcut. Finally, it forms the tree as shown below, where slot 6 points to a shortcut. NODE A +------>+---+ ROOT | | 0 | xxe6 +---+ | +---+ xxxx | 0 | shortcut : : xxe6 +---+ | +---+ xxe6 : : | | | xxe6 +---+ | +---+ | 6 |---+ : : xxe6 +---+ +---+ xxe6 : : | f | xxe6 +---+ +---+ xxe6 | f | +---+ 4. As mentioned above, If a slot(slot 6) of the root points to a shortcut, it may be mistakenly transferred to a key*, leading to a read out-of-bounds read. To fix this issue, one should jump to descend_to_node if the ptr is a shortcut, regardless of whether the node is root or not. [1] https://lore.kernel.org/linux-kernel/1cfa878e-8c7b-4570-8606-21daf5e13ce7@huaweicloud.com/ [jarkko: tweaked the commit message a bit to have an appropriate closes tag.]

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50301.html
CVE-2024-50301
https://bugzilla.suse.com/1233490
SUSE Bug 1233490
https://bugzilla.suse.com/1233680
SUSE Bug 1233680

Описание

In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-50302.html
CVE-2024-50302
https://bugzilla.suse.com/1233491
SUSE Bug 1233491
https://bugzilla.suse.com/1233679
SUSE Bug 1233679

Описание

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53052.html
CVE-2024-53052
https://bugzilla.suse.com/1233548
SUSE Bug 1233548

Описание

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53058.html
CVE-2024-53058
https://bugzilla.suse.com/1233552
SUSE Bug 1233552

Описание

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53059.html
CVE-2024-53059
https://bugzilla.suse.com/1233553
SUSE Bug 1233553

Описание

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: prevent NULL pointer dereference if ATIF is not supported acpi_evaluate_object() may return AE_NOT_FOUND (failure), which would result in dereferencing buffer.pointer (obj) while being NULL. Although this case may be unrealistic for the current code, it is still better to protect against possible bugs. Bail out also when status is AE_NOT_FOUND. This fixes 1 FORWARD_NULL issue reported by Coverity Report: CID 1600951: Null pointer dereferences (FORWARD_NULL) (cherry picked from commit 91c9e221fe2553edf2db71627d8453f083de87a1)

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53060.html
CVE-2024-53060
https://bugzilla.suse.com/1233554
SUSE Bug 1233554

Описание

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53061.html
CVE-2024-53061
https://bugzilla.suse.com/1233555
SUSE Bug 1233555
https://bugzilla.suse.com/1233621
SUSE Bug 1233621

Описание

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53063.html
CVE-2024-53063
https://bugzilla.suse.com/1225742
SUSE Bug 1225742
https://bugzilla.suse.com/1233557
SUSE Bug 1233557
https://bugzilla.suse.com/1233619
SUSE Bug 1233619

Описание

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53066.html
CVE-2024-53066
https://bugzilla.suse.com/1233560
SUSE Bug 1233560

Описание

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53068.html
CVE-2024-53068
https://bugzilla.suse.com/1233561
SUSE Bug 1233561
https://bugzilla.suse.com/1233618
SUSE Bug 1233618

Описание

In the Linux kernel, the following vulnerability has been resolved: mm/thp: fix deferred split unqueue naming and locking Recent changes are putting more pressure on THP deferred split queues: under load revealing long-standing races, causing list_del corruptions, "Bad page state"s and worse (I keep BUGs in both of those, so usually don't get to see how badly they end up without). The relevant recent changes being 6.8's mTHP, 6.10's mTHP swapout, and 6.12's mTHP swapin, improved swap allocation, and underused THP splitting. Before fixing locking: rename misleading folio_undo_large_rmappable(), which does not undo large_rmappable, to folio_unqueue_deferred_split(), which is what it does. But that and its out-of-line __callee are mm internals of very limited usability: add comment and WARN_ON_ONCEs to check usage; and return a bool to say if a deferred split was unqueued, which can then be used in WARN_ON_ONCEs around safety checks (sparing callers the arcane conditionals in __folio_unqueue_deferred_split()). Just omit the folio_unqueue_deferred_split() from free_unref_folios(), all of whose callers now call it beforehand (and if any forget then bad_page() will tell) - except for its caller put_pages_list(), which itself no longer has any callers (and will be deleted separately). Swapout: mem_cgroup_swapout() has been resetting folio->memcg_data 0 without checking and unqueueing a THP folio from deferred split list; which is unfortunate, since the split_queue_lock depends on the memcg (when memcg is enabled); so swapout has been unqueueing such THPs later, when freeing the folio, using the pgdat's lock instead: potentially corrupting the memcg's list. __remove_mapping() has frozen refcount to 0 here, so no problem with calling folio_unqueue_deferred_split() before resetting memcg_data. That goes back to 5.4 commit 87eaceb3faa5 ("mm: thp: make deferred split shrinker memcg aware"): which included a check on swapcache before adding to deferred queue, but no check on deferred queue before adding THP to swapcache. That worked fine with the usual sequence of events in reclaim (though there were a couple of rare ways in which a THP on deferred queue could have been swapped out), but 6.12 commit dafff3f4c850 ("mm: split underused THPs") avoids splitting underused THPs in reclaim, which makes swapcache THPs on deferred queue commonplace. Keep the check on swapcache before adding to deferred queue? Yes: it is no longer essential, but preserves the existing behaviour, and is likely to be a worthwhile optimization (vmstat showed much more traffic on the queue under swapping load if the check was removed); update its comment. Memcg-v1 move (deprecated): mem_cgroup_move_account() has been changing folio->memcg_data without checking and unqueueing a THP folio from the deferred list, sometimes corrupting "from" memcg's list, like swapout. Refcount is non-zero here, so folio_unqueue_deferred_split() can only be used in a WARN_ON_ONCE to validate the fix, which must be done earlier: mem_cgroup_move_charge_pte_range() first try to split the THP (splitting of course unqueues), or skip it if that fails. Not ideal, but moving charge has been requested, and khugepaged should repair the THP later: nobody wants new custom unqueueing code just for this deprecated case. The 87eaceb3faa5 commit did have the code to move from one deferred list to another (but was not conscious of its unsafety while refcount non-0); but that was removed by 5.6 commit fac0516b5534 ("mm: thp: don't need care deferred split queue in memcg charge move path"), which argued that the existence of a PMD mapping guarantees that the THP cannot be on a deferred list. As above, false in rare cases, and now commonly false. Backport to 6.11 should be straightforward. Earlier backports must take care that other _deferred_list fixes and dependencies are included. There is not a strong case for backports, but they can fix cornercases.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53079.html
CVE-2024-53079
https://bugzilla.suse.com/1233570
SUSE Bug 1233570

Описание

In the Linux kernel, the following vulnerability has been resolved: tpm: Lock TPM chip in tpm_pm_suspend() first Setting TPM_CHIP_FLAG_SUSPENDED in the end of tpm_pm_suspend() can be racy according, as this leaves window for tpm_hwrng_read() to be called while the operation is in progress. The recent bug report gives also evidence of this behaviour. Aadress this by locking the TPM chip before checking any chip->flags both in tpm_pm_suspend() and tpm_hwrng_read(). Move TPM_CHIP_FLAG_SUSPENDED check inside tpm_get_random() so that it will be always checked only when the lock is reserved.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53085.html
CVE-2024-53085
https://bugzilla.suse.com/1233577
SUSE Bug 1233577

Описание

In the Linux kernel, the following vulnerability has been resolved: i40e: fix race condition by adding filter's intermediate sync state Fix a race condition in the i40e driver that leads to MAC/VLAN filters becoming corrupted and leaking. Address the issue that occurs under heavy load when multiple threads are concurrently modifying MAC/VLAN filters by setting mac and port VLAN. 1. Thread T0 allocates a filter in i40e_add_filter() within i40e_ndo_set_vf_port_vlan(). 2. Thread T1 concurrently frees the filter in __i40e_del_filter() within i40e_ndo_set_vf_mac(). 3. Subsequently, i40e_service_task() calls i40e_sync_vsi_filters(), which refers to the already freed filter memory, causing corruption. Reproduction steps: 1. Spawn multiple VFs. 2. Apply a concurrent heavy load by running parallel operations to change MAC addresses on the VFs and change port VLANs on the host. 3. Observe errors in dmesg: "Error I40E_AQ_RC_ENOSPC adding RX filters on VF XX, please set promiscuous on manually for VF XX". Exact code for stable reproduction Intel can't open-source now. The fix involves implementing a new intermediate filter state, I40E_FILTER_NEW_SYNC, for the time when a filter is on a tmp_add_list. These filters cannot be deleted from the hash list directly but must be removed using the full process.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53088.html
CVE-2024-53088
https://bugzilla.suse.com/1233580
SUSE Bug 1233580

Описание

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Skip parsing frames of type UVC_VS_UNDEFINED in uvc_parse_format This can lead to out of bounds writes since frames of this type were not taken into account when calculating the size of the frames buffer in uvc_parse_streaming.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53104.html
CVE-2024-53104
https://bugzilla.suse.com/1234025
SUSE Bug 1234025
https://bugzilla.suse.com/1236783
SUSE Bug 1236783

Описание

In the Linux kernel, the following vulnerability has been resolved: vp_vdpa: fix id_table array not null terminated error Allocate one extra virtio_device_id as null terminator, otherwise vdpa_mgmtdev_get_classes() may iterate multiple times and visit undefined memory.

Затронутые продукты

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-default-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-devel-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-macros-5.14.21-150500.55.88.1

Container bci/bci-sle15-kernel-module-devel:15.5:kernel-syms-5.14.21-150500.55.88.1

Ссылки

https://www.suse.com/security/cve/CVE-2024-53110.html
CVE-2024-53110
https://bugzilla.suse.com/1234085
SUSE Bug 1234085

SUSE-SU-2024:4364-1

Описание

Список пакетов

Container bci/bci-sle15-kernel-module-devel:15.5

Container suse/sle-micro/base-5.5:latest

Container suse/sle-micro/kvm-5.5:latest

Image SLES15-SP5-BYOS-Azure

Image SLES15-SP5-BYOS-EC2

Image SLES15-SP5-BYOS-GCE

Image SLES15-SP5-CHOST-BYOS-Azure

Image SLES15-SP5-CHOST-BYOS-EC2

Image SLES15-SP5-CHOST-BYOS-GCE

Image SLES15-SP5-CHOST-BYOS-GDC

Image SLES15-SP5-CHOST-BYOS-SAP-CCloud

Image SLES15-SP5-EC2

Image SLES15-SP5-GCE

Image SLES15-SP5-HPC-BYOS-Azure

Image SLES15-SP5-HPC-BYOS-EC2

Image SLES15-SP5-HPC-BYOS-GCE

Image SLES15-SP5-Hardened-BYOS-Azure

Image SLES15-SP5-Hardened-BYOS-EC2

Image SLES15-SP5-Hardened-BYOS-GCE

Image SLES15-SP5-Manager-Proxy-5-0-BYOS

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-Azure

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-EC2

Image SLES15-SP5-Manager-Proxy-5-0-BYOS-GCE

Image SLES15-SP5-Manager-Server-5-0

Image SLES15-SP5-Manager-Server-5-0-Azure-llc

Image SLES15-SP5-Manager-Server-5-0-Azure-ltd

Image SLES15-SP5-Manager-Server-5-0-BYOS

Image SLES15-SP5-Manager-Server-5-0-BYOS-Azure

Image SLES15-SP5-Manager-Server-5-0-BYOS-EC2

Image SLES15-SP5-Manager-Server-5-0-BYOS-GCE

Image SLES15-SP5-Manager-Server-5-0-EC2-llc

Image SLES15-SP5-Manager-Server-5-0-EC2-ltd

Image SLES15-SP5-Micro-5-5

Image SLES15-SP5-Micro-5-5-Azure

Image SLES15-SP5-Micro-5-5-BYOS

Image SLES15-SP5-Micro-5-5-BYOS-Azure

Image SLES15-SP5-Micro-5-5-BYOS-EC2

Image SLES15-SP5-Micro-5-5-BYOS-GCE

Image SLES15-SP5-Micro-5-5-EC2

Image SLES15-SP5-Micro-5-5-GCE

Image SLES15-SP5-SAP-Azure-3P

Image SLES15-SP5-SAP-Azure-LI-BYOS

Image SLES15-SP5-SAP-Azure-LI-BYOS-Production

Image SLES15-SP5-SAP-Azure-VLI-BYOS

Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production

Image SLES15-SP5-SAP-BYOS-Azure

Image SLES15-SP5-SAP-BYOS-EC2

Image SLES15-SP5-SAP-BYOS-GCE

Image SLES15-SP5-SAP-Hardened-Azure

Image SLES15-SP5-SAP-Hardened-BYOS-Azure

Image SLES15-SP5-SAP-Hardened-BYOS-EC2

Image SLES15-SP5-SAP-Hardened-BYOS-GCE

Image SLES15-SP5-SAP-Hardened-GCE

Image SLES15-SP5-SAPCAL-Azure

Image SLES15-SP5-SAPCAL-EC2

Image SLES15-SP5-SAPCAL-GCE

SUSE Linux Enterprise High Availability Extension 15 SP5

SUSE Linux Enterprise Live Patching 15 SP5

SUSE Linux Enterprise Micro 5.5

SUSE Linux Enterprise Module for Basesystem 15 SP5

SUSE Linux Enterprise Module for Development Tools 15 SP5

SUSE Linux Enterprise Module for Legacy 15 SP5

Ссылки

Уязвимость: CVE-2021-47416

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2021-47534

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2021-47594

Описание

Затронутые продукты

Ссылки

Уязвимость: CVE-2022-3435

Описание